Ransomware rivals expose their own playbook

Rival ransomware crews 0APT and KryBit have disrupted each other’s operations after leaking internal data, exposing an unusual cybercriminal feud that has given defenders a rare view into the infrastructure, tactics and credibility gaps behind emerging extortion groups.

The confrontation began on 13 April 2026, when 0APT listed KryBit, Everest and RansomHouse as victims on its leak site. KryBit responded a day later by breaching 0APT’s infrastructure, defacing its leak site and publishing operational files that undermined 0APT’s own claims. The exchange has left both 0APT and KryBit facing the need to rebuild systems, rotate exposed components and repair reputational damage inside the underground ransomware market.

The episode is significant because ransomware groups normally rely on secrecy, affiliate trust and proof of successful compromises to recruit partners and pressure victims. This dispute reversed that model. Instead of targeting companies alone, one ransomware operator attempted to extort another, only to have its own systems exposed in return.

0APT first appeared in late January 2026, claiming more than 190 victims within a week. The scale of those claims drew attention but also scepticism because verifiable evidence of compromise was weak. Technical analysis later showed that 0APT did possess functioning encryptors for Windows and Linux, meaning it could not be dismissed entirely as theatre. Yet KryBit’s leaked access logs and system files indicated that the claimed victims had been fabricated and that no data had been exfiltrated from the organisations listed in January.

KryBit emerged in late March 2026 as a ransomware-as-a-service operation with builders for Windows, Linux, ESXi and network-attached storage devices. Its affiliate model allowed partners to keep 80 per cent of ransom payments while the operator retained 20 per cent. Within its first two weeks, KryBit had posted 10 victims that appeared more credible than 0APT’s earlier claims.

The data exposed by 0APT from KryBit’s administrator panel showed a compact but functional operation. It included records tied to two administrators, five affiliates and 20 potential victims. Victim data volumes ranged from 10GB to 250GB, while ransom demands fell between $40,000 and $100,000. Five Bitcoin wallets were identified, though no transactions or paid-status entries were found at the time of the leak, suggesting KryBit had yet to record confirmed ransom proceeds through those wallets.

KryBit’s response was sharper and more damaging. It gained access to 0APT’s systems, exfiltrated operational files and left a defacement message on the rival leak site. The exposed material included access logs, PHP source code and system files. One of the more striking details was that 0APT’s leak-site infrastructure appeared to be operated through AnLinux-Parrot OS with content pushed from an Android phone’s internal SD card, a sign of limited operational maturity.

The dispute also touched older ransomware brands. 0APT claimed to have leaked data connected to Everest and RansomHouse, but the evidence was uneven. The Everest material consisted of a SQL database containing publication and user records from January to September 2025, with critical fields encoded or hashed rather than exposed in plaintext. RansomHouse was mentioned in the same listing, but no RansomHouse data was included, reducing the likely impact on that group.

Cybersecurity specialists view the clash as part of a wider pattern of fragmentation inside the ransomware economy. Ransomware-as-a-service groups depend on affiliates, initial access brokers, negotiators, payment infrastructure and leak sites. Competition for affiliates and credibility can be intense, especially for newer crews trying to establish themselves beside established names. When claims of successful attacks are inflated, groups may resort to publicity stunts to attract recruits.

The exposed data carries defensive value. Negotiation records, affiliate handles, cryptocurrency wallets, infrastructure paths and access logs can help security teams understand how groups organise attacks, manage victims and stage stolen data. Even when operators rebuild, their habits often persist. Affiliates may move to other services, but preferred tooling, negotiation styles, targeting choices and operational mistakes can remain detectable.

For companies, the feud reinforces the need to treat leak-site claims carefully. 0APT’s case shows that not every public victim listing reflects a genuine breach. At the same time, dismissing new ransomware brands outright can be dangerous when functional encryptors and working panels exist. KryBit’s exposed activity points to a more conventional threat pattern involving data theft, encryption capability and affiliate-led targeting across sectors.

The practical lessons remain familiar but urgent. Organisations need monitoring for unusual data staging, large archive creation and outbound transfers before encryption begins. Backup systems should be isolated, regularly tested and protected from deletion or encryption. Incident responders should preserve firewall logs, endpoint telemetry and network records, particularly when ransomware activity appears linked to groups whose infrastructure has been exposed.