CyberSecurity

Ransomware Turf War Escalates as 0APT and KryBit Groups Trade Blows in Public Feud

Published

on

Ransomware Turf War: 0APT and KryBit Groups Trade Blows in Public Feud

The cybercrime underground is witnessing an unusual spectacle: a ransomware turf war between two rival groups, 0APT and KryBit, who are publicly leaking each other’s operational data. According to a new report from Halcyon, both groups are now scrambling to rebuild their infrastructure after this dramatic exchange of blows.

This clash began when 0APT, a relatively new ransomware group, posted sensitive data on its leak site targeting three rivals: the newcomer KryBit, along with established players RansomHouse and Everest Group. The leak exposed KryBit’s administrator panel, affiliate details, and victim negotiation data. Halcyon noted that the leaked information spanned from March 28 to April 12, 2026, revealing two administrators, five affiliates, and 20 potential victims. Ransom demands ranged from $40,000 to $100,000 per victim, with exfiltrated data volumes between 10GB and 250GB.

However, KryBit did not take this lying down. The group retaliated by hacking back at 0APT, stealing its data and defacing its leak site with a taunting message: “Next time, don’t play with the big boys.” The counter-leak included full access logs, PHP source code, and system files from 0APT’s infrastructure. More importantly, it revealed a stunning deception: the 190+ victims 0APT had claimed since January 2026 were entirely fabricated. No data was ever exfiltrated from any listed victim.

Halcyon’s analysis also uncovered that 0APT’s entire ransomware data leak site was running on an AnLinux-Parrot OS, pushing content via an Android phone’s internal SD card. This amateurish setup has left 0APT unable to recover, while KryBit maintains control over the defaced site.

Why This Ransomware Turf War Matters for Cybersecurity

This ransomware turf war illustrates a growing trend: cybercriminal groups are increasingly targeting each other to gain credibility and market share. Oliver Newbury, former Barclays CISO and chief strategy officer at Halcyon, explained that financial pressure is driving these conflicts. “These groups depend on credibility to survive, so when that starts to crack, rivals move fast to expose it,” he said. “We’re now seeing them disrupt each other’s operations, taking over infrastructure and undermining campaigns in real time.”

As a result, the ecosystem doesn’t shrink—it reshapes, often becoming harder to predict. For defenders, this means that while internal feuds can temporarily weaken certain groups, they also create new, more resilient adversaries.

Interestingly, Everest Group has not retaliated against 0APT despite having its encoded publication and user data leaked. This suggests that not all groups are willing to engage in public warfare, perhaps preferring to rebuild quietly.

How the Feud Exposes Ransomware Group Vulnerabilities

The KryBit leak exposed critical operational components, including administrator panels and affiliate networks. Halcyon warned that such leaks force groups to “rotate leaked operational components to ensure impact on their activities is limited.” This means both 0APT and KryBit will likely need to rebuild, rebrand, and spin up new infrastructure over the coming weeks or months to remain active.

Moreover, the fabricated victim list from 0APT highlights a broader issue: the ransomware economy relies heavily on perceived success. Groups like 0APT may fabricate attacks to attract affiliates, but such deception can backfire spectacularly when exposed.

Data from Chainalysis in 2025 showed that crypto-payments to ransomware actors dropped 8% annually to $820 million, even as attack numbers rose 50%. This financial squeeze likely fuels conflicts like this ransomware turf war, as groups fight for a shrinking pool of ransom payments.

For more on ransomware trends, see our analysis of ransomware attacks in 2026 and how cybercrime groups are evolving their tactics.

What This Means for Businesses and Defenders

While internal feuds may seem like a net positive for cybersecurity, experts caution against complacency. “It creates instability, but not safety,” Newbury added. The disruption caused by this ransomware turf war could lead to unpredictable behavior from both groups, including more aggressive attacks or a shift to new, harder-to-track methods.

Organizations should remain vigilant: patch systems, enforce multi-factor authentication, and maintain offline backups. The chaos among ransomware groups does not eliminate the threat—it merely changes its form.

In conclusion, the 0APT vs. KryBit feud is a stark reminder that the cybercrime landscape is dynamic and ruthless. As these groups trade blows, they reveal not only each other’s weaknesses but also the fragility of the entire ransomware business model.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version