When ransomware actors start attacking each other, who wins? Maybe defenders do.
The Halcyon Ransomware Research Center published a blog post recently, primarily covering two newer ransomware-as-a-service (RaaS) actors: 0APT and KryBit. While neither has made a name for themselves to date, the two outfits found themselves embroiled in a feud that appears to have left both in shambles.
0APT emerged in late January with a list of nearly 200 victims posted to its data leak blog over the course of a week. This list was widely regarded as fabricated because of a lack of evidence pointing toward victim compromises, though Halcyon assessed 0APT did use functioning encryptors. The actor failed to pick up traction, or affiliates, and went quiet for months, researchers said.
Then in mid-April, 0APT reemerged, deleting its previous list of fake victims while claiming ransomware attacks against ransomware operators including KryBit, Everest (active since 2020), and RansomHouse (active since 2021). The latter two, Halcyon said, are much more established.
KryBit emerged in late March, offering RaaS kits targeting Windows, Linux, ESXi, and network-attached storage (NAS) devices, using an 80/20 affiliate model (where the RaaS affiliate keeps 80% of ransom payments and KryBit keeps 20%). The group published 10 legitimate victims in its first two weeks.
Contrary to the phony aspect of the initial victim list, 0APT’s comeback strategy is slightly more rooted in reality. 0APT published a joint listing for Everest and RansomHouse, posting an SQL database belonging to the former with encoded and hashed database records spanning the first nine months of 2025. There was no plaintext in critical fields, and while RansomHouse was mentioned in the listing, no RansomHouse data was included in the leak.
Ransomware Actions Have Ransomware Consequences
Erika Totaro, intelligence analyst with the Halcyon Ransomware Research Center, tells Dark Reading that 0APT’s unique tactic may have been a play for attention.
“When your credibility in a criminal marketplace depends on proven victims and ransom payments, and you have neither, you have to find another way to make noise,” she says. “Exposing a rival’s admin panels, affiliate data, and victim negotiations is how you buy credibility when you have no actual victims to show for yourself. These gangs are motivated entirely by financial gain, and they will expose, extort, or undercut each other without hesitation.”
Everest has not publicly retaliated or made any public acknowledgement to date.
That is not the case with KryBit, which had both its infrastructure and personnel exposed. This revealed that KryBit had two administrators, five affiliates, 20 potential victims, and ransom demands between $40,000 and $100,000.
In response to its data leaking, KryBit breached and exfiltrated 0APT’s infrastructure, listed the latter as a victim, and left a message on 0APT’s leak site: “Next time, don’t play with the big boys.”
“KryBit leaked the full 0APT operational data set the following day, which included full access logs, PHP source code, and system files. The access logs revealed that the 190+ victims initially posted by 0APT in January 2026 were entirely fabricated and no data was ever exfiltrated from any of the listed victims,” the researchers said. “0APT has been unable to recover, and KryBit maintains defacement of the 0APT leak site.”
Ransomware Gang Wars
As Halcyon put it, both operators will likely have to rebuild, rebrand, and create new infrastructure in order to recover from this.
Ransomware operator feuds are not unheard of, though they rarely take shape in the way seen here. Feuds often form among ransomware operators and affiliates, either due to disagreements or possible scamming.
Totaro says gang feuds are a net positive for defenders. For one, they offer defenders a window into operations, giving security professionals the chance to prepare for future attacks.
“When operators reconstitute or affiliates migrate to a new service, their tactics, techniques, and procedures travel with them. The tooling changes; the behavior largely does not,” she explains. “That overlap is exactly what defenders can alert on. So while the drama between these groups may look chaotic, the intelligence value of what gets exposed in these moments is real and actionable.”
The blog post contains indicators of compromise. For defenders, Halcyon recommends monitoring for signs of data staging and exfiltration, validating backup integrity, and deploying anti-ransomware defenses. The post also highlighted that while 0APT’s victim list has been fraudulent, KryBit and Everest should be treated as legitimate threats.
