Ransomware Groups 0APT and KryBit Attack Each Other — and Defenders Win
In a rare development in the cybercriminal ecosystem, two active ransomware groups — 0APT and KryBit — have turned their operations against each other, resulting in the mutual leak of internal data, infrastructure details, and operational intelligence. Security researchers analyzing the leaked material say it provides an unprecedented look inside the day-to-day operations of two active ransomware gangs.
The fallout from the gang war has handed defenders rare, actionable intelligence about ransomware infrastructure, victim targeting methodology, tooling, and internal communication patterns — data that is normally only glimpsed through forensic investigation of compromised victims.
What Was Leaked
The mutual breach and public data dump reportedly includes:
Infrastructure Data
| Category | Description |
|---|---|
| C2 server addresses | Active and historical command-and-control infrastructure |
| Hosting providers | Bulletproof hosting services and anonymization layers used |
| Domain lists | Operational domains used for payload delivery and communication |
| VPN/proxy configurations | Anonymization infrastructure protecting operator identities |
Operational Data
| Category | Description |
|---|---|
| Victim lists | Organizations targeted and compromised by each group |
| Ransom payment records | Cryptocurrency transactions and negotiation outcomes |
| Affiliate communications | Messages between gang leadership and affiliates |
| Target selection criteria | How victims were identified and prioritized |
Tooling and Code
| Category | Description |
|---|---|
| Ransomware builder configurations | Payload customization parameters |
| Lateral movement scripts | Tools used to spread through victim networks |
| Credential harvesting tools | Software used to extract domain credentials |
| Exfiltration utilities | Data theft tools used before encryption |
0APT and KryBit: Background
Both groups have been active in the ransomware-as-a-service (RaaS) ecosystem in recent years, though neither has achieved the notoriety of larger organizations like LockBit, BlackCat, or Cl0p.
0APT
0APT (stylized with a zero to mimic the "0day" naming convention) has been linked to:
- Targeted attacks against manufacturing and logistics sectors
- Use of double-extortion tactics — encrypting files and threatening data release
- Technical sophistication in EDR evasion and lateral movement
KryBit
KryBit has been observed targeting:
- Small to medium-sized businesses in North America and Europe
- Healthcare adjacent organizations
- Professional services firms
KryBit's tactics have included purchasing initial access from initial access brokers (IABs) rather than conducting their own intrusions.
How the Gang War Unfolded
Based on researcher analysis of the leaked material, the dispute appears to have originated over:
- Revenue sharing disputes between 0APT leadership and KryBit affiliates
- Attribution conflicts — both groups allegedly claimed responsibility for the same victims
- Stolen tooling — accusations of code theft between the organizations
The conflict escalated from public forum disputes to active intrusion operations. Each group reportedly:
- Gained access to the other's backend infrastructure and admin panels
- Exfiltrated operational data, victim records, and financial information
- Published the stolen data on cybercriminal forums and dark web leak sites
- Attempted to dox (expose the real identities of) the other group's operators
Defender Intelligence Value
Researchers at Dark Reading and affiliated threat intelligence teams have highlighted several actionable takeaways from the leaked data:
C2 Infrastructure
The exposed C2 addresses and domains allow defenders to:
# Example threat intel update — block these indicators
network_blocks:
- <c2-ip-range-1> # 0APT active C2
- <c2-ip-range-2> # KryBit active C2
domain_blocks:
- <delivery-domain-1> # payload distribution
- <exfil-domain-1> # data exfiltration endpointSecurity teams can update SIEM rules, firewall blocklists, and DNS filtering with the exposed infrastructure indicators.
Victim Targeting Criteria
The leaked targeting data reveals how both groups prioritized victims:
- Revenue threshold — organizations with annual revenue above a defined figure
- Sector targeting — healthcare, finance, and manufacturing rated as premium targets
- Security posture scoring — victims pre-screened via Shodan/Censys scans for exposed services
- Geographic targeting — specific countries deprioritized due to affiliate risk tolerance
Understanding these criteria helps organizations assess their own exposure profile.
TTPs (Tactics, Techniques, and Procedures)
The tooling leaks expose the specific techniques each group uses for lateral movement and credential theft, enabling detection rule creation for:
- Specific LOLBIN (Living off the Land Binary) usage patterns
- Credential dumping tool signatures
- Specific file extensions and ransom note templates
- Encryption timing patterns
Mapping to MITRE ATT&CK
Based on the leaked operational data, both groups employ common ransomware TTPs:
| Tactic | Technique | Details |
|---|---|---|
| Initial Access | T1190 — Exploit Public-Facing App | VPN and edge device exploitation |
| Persistence | T1053 — Scheduled Task/Job | Scheduled tasks for beacon persistence |
| Credential Access | T1003 — OS Credential Dumping | LSASS dump, Mimikatz variants |
| Lateral Movement | T1021 — Remote Services | RDP, SMB, WMI for internal spread |
| Collection | T1074 — Data Staged | Staging to temp directories before exfil |
| Exfiltration | T1041 — Exfil over C2 Channel | Custom tooling over HTTPS |
| Impact | T1486 — Data Encrypted for Impact | Ransomware payload deployment |
The Bigger Picture: Gang-on-Gang Conflict as an Intel Source
This incident is not without precedent. Previous gang conflicts have produced similar intelligence windfalls:
- 2022: Conti internal chats leaked by a Ukrainian member following the Russia-Ukraine war
- 2021: REvil source code and operator communications leaked after internal disputes
- 2023: LockBit builder leaked by disgruntled affiliate, spawning dozens of copycat groups
Each incident demonstrates a pattern: criminal organizations are not immune to insider threats, and when they fracture, defenders benefit from the intelligence fallout.
The 0APT/KryBit situation follows this pattern with one additional element — both sides are actively weaponizing their intelligence against the other, creating a continuous release of operational data.
Recommended Actions for Defenders
Immediate
- Ingest leaked indicators into SIEM and threat intelligence platforms
- Scan for C2 connections matching the exposed infrastructure in historical firewall logs
- Check threat intel feeds for updated 0APT and KryBit IOC packages
- Review EDR telemetry for tooling signatures exposed in the leaked arsenal
Strategic
- Update detection rules for the TTPs exposed in the leaked tooling
- Prioritize patching of the edge services both groups are known to target
- Review backup integrity — ransomware groups specifically target backup infrastructure
- Test incident response playbooks against the RaaS operational model exposed
Key Takeaways
- 0APT and KryBit engaged in mutual intrusion, exposing each other's infrastructure and operations
- Defenders gain rare direct intelligence on active ransomware gang TTPs, infrastructure, and victim targeting
- Leaked data includes C2 addresses, victim lists, tooling, and affiliate communications
- Both groups remain active — the intelligence is current and operationally relevant
- This follows a historical pattern of criminal infighting generating defender windfalls
- Security teams should immediately operationalize the exposed indicators