Feuding Ransomware Groups Leak Each Other’s Data, Exposing Operations to Defenders

What happened

A feud between two ransomware-as-a-service operations, 0APT and KryBit, resulted in both groups exposing each other’s infrastructure, affiliate data, and operational details, providing defenders with an unusual window into active ransomware operations. The Halcyon Ransomware Research Center documented the conflict.

0APT emerged in late January with a list of nearly 200 claimed victims that was widely assessed as fabricated, lacking evidence of actual compromises. The group went quiet before reemerging in mid-April, deleting its fake victim list and claiming attacks against several ransomware operators including KryBit, Everest, and RansomHouse. Against KryBit, 0APT exposed the group’s infrastructure and personnel data, revealing two administrators, five affiliates, 20 potential victims, and ransom demands ranging from $40,000 to $100,000.

KryBit responded by breaching 0APT’s infrastructure, exfiltrating its operational data, listing 0APT as a victim on its leak site, and leaving a defacement message. The exfiltrated 0APT data included full access logs, PHP source code, and system files. Analysis of those logs confirmed that all 190-plus victims 0APT claimed in January were entirely fabricated and that no data was ever exfiltrated from any of them. KryBit maintains defacement of 0APT’s leak site and 0APT has been unable to recover. Both groups will likely need to rebuild and rebrand their infrastructure.

0APT also published what it claimed was data from Everest, a group active since 2020, posting an SQL database with encoded and hashed records spanning the first nine months of 2025. Everest has not publicly responded.

Who is affected

KryBit had published 10 legitimate victims in its first two weeks of operation and should be treated as a functioning threat despite the current disruption. Everest and RansomHouse, both more established groups, remain active. Organizations in industries targeted by these groups face ongoing risk regardless of the internal drama.

Why CISOs should care

Gang feuds are rare opportunities for defenders. The operational data exposed in this conflict, including affiliate structures, victim negotiation details, infrastructure logs, and tooling, provides intelligence that would otherwise require significant effort to obtain. As Halcyon’s analysts note, when operators reconstitute or affiliates migrate to a new service, their tactics and techniques travel with them even as the tooling changes. That behavioral continuity is exactly what detection engineering can be built on.

The 0APT case also reinforces the importance of validating ransomware group claims before treating victim listings as confirmed breaches.

3 practical actions

1. Ingest the indicators of compromise published by Halcyon from the 0APT and KryBit operational data: The exposed infrastructure logs, PHP source code, and system files contain actionable intelligence for defenders. Add the published IoCs to detection rules and threat hunting workflows, particularly for environments that match the targeting profiles of KryBit and Everest.
2. Treat affiliate migration as a threat persistence factor in your detection engineering: When ransomware groups collapse or rebrand, their affiliates carry established TTPs to new platforms. Build detection logic around behavioral patterns associated with these operators rather than relying solely on infrastructure-based indicators that change with each rebrand.
3. Validate ransomware victim listing claims before treating them as confirmed incidents: 0APT’s 190-plus victim list was entirely fabricated. Organizations that appeared on that list and took no action were correct. Confirm claimed breaches through direct forensic assessment or credible third-party validation rather than treating a leak site listing as definitive evidence of compromise.