Just in:
Paymentology and T2P partner to accelerate the future of card issuing in Thailand // BlackRock Bitcoin fund assets approach $48 billion // DITP Launches THAI SELECT Festival 2026 in New York to Strengthen U.S. Market Opportunities for Thailand’s Food Industry // Xsolla and Management and Science University (MSU) Sign Memorandum of Understanding (MOU) to Connect Future Game Developers With Global Commercial Opportunities // Louis Vuitton Celebrates 130 Years of the Monogram // Rival cyber spies penetrate Pakistan police networks // Central & Western District Youth-to-Career Explo Connects Hong Kong Youth to Future Careers in AI Era // A SIM Guide to Comparing Graduate Salaries and Employability in Singapore // Trump scraps Hormuz levy but tightens Iran blockade // Fynd brings AI fashion platform to Gulf // Launch ceremony of third edition of Hong Kong Fashion Fest Held on July 9 // EU prosecutors examine subsidies linked to Babiš // De Beers halts Venetia output amid diamond slump // Rhenus to Further Strengthen Warehousing Solutions in the Philippines // Iran widens energy threat as Hormuz battle escalates // Guardian Fire expands Midwest reach with Nebraska deal // Revolut clears first hurdle for Dubai crypto launch // Dealing.com claims record for tokenised stock access // “Achievements of National Aerospace Endeavours” Thematic Exhibition Makes First Stop at Hong Kong Science Park // CyCraft Named a Sample Provider in the Gartner® Latest AI Reasoning Models Report—The Only Taiwan-Based Cybersecurity Provider Listed //

Ransomware rivals expose their own playbook

Rival ransomware crews 0APT and KryBit have disrupted each other’s operations after leaking internal data, exposing an unusual cybercriminal feud that has given defenders a rare view into the infrastructure, tactics and credibility gaps behind emerging extortion groups.

The confrontation began on 13 April 2026, when 0APT listed KryBit, Everest and RansomHouse as victims on its leak site. KryBit responded a day later by breaching 0APT’s infrastructure, defacing its leak site and publishing operational files that undermined 0APT’s own claims. The exchange has left both 0APT and KryBit facing the need to rebuild systems, rotate exposed components and repair reputational damage inside the underground ransomware market.

ADVERTISEMENT

The episode is significant because ransomware groups normally rely on secrecy, affiliate trust and proof of successful compromises to recruit partners and pressure victims. This dispute reversed that model. Instead of targeting companies alone, one ransomware operator attempted to extort another, only to have its own systems exposed in return.

0APT first appeared in late January 2026, claiming more than 190 victims within a week. The scale of those claims drew attention but also scepticism because verifiable evidence of compromise was weak. Technical analysis later showed that 0APT did possess functioning encryptors for Windows and Linux, meaning it could not be dismissed entirely as theatre. Yet KryBit’s leaked access logs and system files indicated that the claimed victims had been fabricated and that no data had been exfiltrated from the organisations listed in January.

KryBit emerged in late March 2026 as a ransomware-as-a-service operation with builders for Windows, Linux, ESXi and network-attached storage devices. Its affiliate model allowed partners to keep 80 per cent of ransom payments while the operator retained 20 per cent. Within its first two weeks, KryBit had posted 10 victims that appeared more credible than 0APT’s earlier claims.

The data exposed by 0APT from KryBit’s administrator panel showed a compact but functional operation. It included records tied to two administrators, five affiliates and 20 potential victims. Victim data volumes ranged from 10GB to 250GB, while ransom demands fell between $40,000 and $100,000. Five Bitcoin wallets were identified, though no transactions or paid-status entries were found at the time of the leak, suggesting KryBit had yet to record confirmed ransom proceeds through those wallets.

KryBit’s response was sharper and more damaging. It gained access to 0APT’s systems, exfiltrated operational files and left a defacement message on the rival leak site. The exposed material included access logs, PHP source code and system files. One of the more striking details was that 0APT’s leak-site infrastructure appeared to be operated through AnLinux-Parrot OS with content pushed from an Android phone’s internal SD card, a sign of limited operational maturity.

ADVERTISEMENT

The dispute also touched older ransomware brands. 0APT claimed to have leaked data connected to Everest and RansomHouse, but the evidence was uneven. The Everest material consisted of a SQL database containing publication and user records from January to September 2025, with critical fields encoded or hashed rather than exposed in plaintext. RansomHouse was mentioned in the same listing, but no RansomHouse data was included, reducing the likely impact on that group.

Cybersecurity specialists view the clash as part of a wider pattern of fragmentation inside the ransomware economy. Ransomware-as-a-service groups depend on affiliates, initial access brokers, negotiators, payment infrastructure and leak sites. Competition for affiliates and credibility can be intense, especially for newer crews trying to establish themselves beside established names. When claims of successful attacks are inflated, groups may resort to publicity stunts to attract recruits.

The exposed data carries defensive value. Negotiation records, affiliate handles, cryptocurrency wallets, infrastructure paths and access logs can help security teams understand how groups organise attacks, manage victims and stage stolen data. Even when operators rebuild, their habits often persist. Affiliates may move to other services, but preferred tooling, negotiation styles, targeting choices and operational mistakes can remain detectable.

For companies, the feud reinforces the need to treat leak-site claims carefully. 0APT’s case shows that not every public victim listing reflects a genuine breach. At the same time, dismissing new ransomware brands outright can be dangerous when functional encryptors and working panels exist. KryBit’s exposed activity points to a more conventional threat pattern involving data theft, encryption capability and affiliate-led targeting across sectors.

The practical lessons remain familiar but urgent. Organisations need monitoring for unusual data staging, large archive creation and outbound transfers before encryption begins. Backup systems should be isolated, regularly tested and protected from deletion or encryption. Incident responders should preserve firewall logs, endpoint telemetry and network records, particularly when ransomware activity appears linked to groups whose infrastructure has been exposed.



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com
Just in:
Enshi Suobuya Stone Forest in China Launches Rich Cultural Experiences to Welcome Southeast Asian Tourists // Dubai weighs turning organic waste into aviation fuel // TrendAI™ Named a Champion for the Fourth Consecutive Year in Omdia’s Global Cybersecurity Platform Ecosystems Leadership Matrix 2026 // A SIM Guide to Comparing Graduate Salaries and Employability in Singapore // Alessio Vinassa: ‘Generative AI Is the Most Important Creative Tool Since the Camera — and the Most Misunderstood’ // Louis Vuitton Celebrates 130 Years of the Monogram // Revolut clears first hurdle for Dubai crypto launch // De Beers halts Venetia output amid diamond slump // CyCraft Named a Sample Provider in the Gartner® Latest AI Reasoning Models Report—The Only Taiwan-Based Cybersecurity Provider Listed // Gadkari’s Ethanol Defence Is Losing The Public Argument // AI tools sharpen cybercrime as quishing surges // US missiles disable tanker bound for Iran // Xsolla and Management and Science University (MSU) Sign Memorandum of Understanding (MOU) to Connect Future Game Developers With Global Commercial Opportunities // Fynd brings AI fashion platform to Gulf // UK sets overnight social media curfew for teens // Iran widens energy threat as Hormuz battle escalates // Rival cyber spies penetrate Pakistan police networks // Rhenus to Further Strengthen Warehousing Solutions in the Philippines // Dubai-Botswana pact opens new commodity trade corridor // Paymentology and T2P partner to accelerate the future of card issuing in Thailand //