Full Report
Honey, the skids are fighting again Two rival ransomware gangs have locked horns after 0APT threatened to expose people affiliated with Krybit.…
Analysis Summary
# Threat Actor: 0APT
## Attribution & Identity
* **Name:** 0APT
* **Aliases:** None currently identified.
* **Profile:** A relatively new ransomware/extortion group characterizing itself with "credible technical depth" while engaging in aggressive self-promotion.
* **Known Associations:** No direct technical links to other groups are confirmed, though they have recently targeted a rival group known as **Krybit**.
## Activity Summary
* **Rival Extortion (April 2026):** 0APT targeted the rival ransomware gang Krybit, threatening to dox its affiliates (names, photos, and locations) unless a ransom is paid.
* **Launch Phase (January 2026):** Within the first 48 hours of operation, the group claimed hundreds of victim organizations.
* **Claim Inflation:** Analysts believe 0APT engages in "inflated victim claims" to bolster its reputation early in its lifecycle.
## Tactics, Techniques & Procedures
* **Double Extortion:** Employs the standard ransomware playbook of encrypting data and threatening to leak sensitive information on a dedicated leak blog.
* **Doxxing:** Specifically targets the personal identities of rival operators to coerce payment.
* **Credential Harvesting:** Procurement of plaintext credentials (observed in the Krybit compromise).
* **Data Interception/Theft:** Claims the ability to unlock data for victims of other ransomware groups if they contact 0APT following a successful breach of a rival.
* **MITRE ATT&CK IDs:**
* T1567 (Exfiltration Over Web Service)
* T1659 (Branding/Reputation Impact – notably against other criminals)
* T1555 (Credentials from Password Stores)
## Targeting
* **Sectors:** Indiscriminate; claims to target hundreds of organizations across various sectors. Most recently targeted the **Cybercrime** sector (specifically other ransomware operators).
* **Geography:** Global/Undisclosed.
* **Victims:**
* **Krybit** (Ransomware group)
* Hundreds of unnamed organizations (claims likely inflated).
## Tools & Infrastructure
* **Malware:** Ransomware (Specific family not named, but noted for "technical depth").
* **Leak Blog:** A dark web site used for doxxing and data exposure.
* **Infrastructure:**
* Dark web leak portal.
* hXXps[://]www[.]thehackerwire[.]com/ransomware-groups/krybit/ (Referenced victim tracking).
## Implications
0APT represents a trend of "criminal-on-criminal" extortion, which can lead to volatile shifts in the ransomware ecosystem. While their claims of hundreds of victims are likely exaggerated to build a "brand," their technical competence in breaching other criminal operations suggests they are a high-tier threat to legitimate organizations. Their offer to "unlock data" for another group's victims suggests they may attempt to position themselves as a "benevolent" or superior predator in the ecosystem.
## Mitigations
* **Credential Hygiene:** Implement MFA and rotate credentials, as plaintext credential harvesting was observed in their recent operations.
* **Identity Intelligence:** Monitor dark web leak sites for "data dumps" that may contain company credentials leaked from third-party breaches.
* **Asset Hardening:** Maintain offline backups and immutable storage to counter double-extortion tactics.
* **Vulnerability Management:** Ensure all edge-facing infrastructure is patched, as 0APT demonstrates the technical depth required to exploit known vulnerabilities for initial access.