Summary Points
- Rival ransomware groups KryBit and Everest exposed each other’s infrastructure, revealing operational details and exposing fake victim claims, which undermines their credibility and stability.
- KryBit publicly breached 0APT, leaking comprehensive operational data including logs, source code, and system files, confirming that previous victim lists were fabricated.
- Ransomware gang conflicts, such as these, inadvertently benefit defenders by revealing attack tactics, infrastructure, and indicators of compromise that can be used for proactive defense measures.
Threat Overview, Attack Techniques, and Targets
Recently, two ransomware groups, 0APT and KryBit, became involved in a public feud. Both are new ransomware-as-a-service (RaaS) actors. 0APT first appeared in late January, claiming to have nearly 200 victims. However, these claims were likely false because there was no evidence of actual victim data. Despite this, 0APT used encryption tools, indicating some technical capability. After going quiet, 0APT reappeared in April, claiming to have attacked other ransomware groups like KryBit, Everest, and RansomHouse.
KryBit, emerging in late March, offers RaaS kits targeting Windows, Linux, ESXi, and network storage devices. It relies on an 80/20 affiliate model, meaning affiliates keep 80% of ransom payments. KryBit first published data on ten victims, but later retaliated by exposing 0APT’s infrastructure. KryBit leaked full details of 0APT’s systems, including logs, source code, and files.
This feud involved attacking each other’s infrastructure and exposing victim data. The situation shows cybercriminal groups fighting publicly, which can lead to confusion and damage for the involved gangs.
Impact, Security Implications, and Guidance
The public feud has major consequences for both groups. KryBit’s attack exposed that 0APT’s initial victim list was fabricated, revealing that no data was exfiltrated from claimed victims. KryBit’s actions damaged 0APT’s credibility and infrastructure, making it harder for 0APT to recover. Both groups now face the need to rebuild and rebrand.
For defenders, this fight creates an opportunity. Such conflicts reveal the tactics, techniques, and procedures (TTPs) used by these groups. Monitoring for signs of data staging, exfiltration, or new attack infrastructure can help in early detection. It is also important to verify backup integrity and deploy anti-ransomware defenses.
If further guidance is needed, organizations should consult security vendors or relevant authorities. As of now, the Halcyon Ransomware Research Center recommends active monitoring of indicators of compromise associated with KryBit, Everest, and similar groups. The ongoing conflict highlights the importance of rapid incident response and threat intelligence sharing.
Discover More Technology Insights
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Explore past and present digital transformations on the Internet Archive.
ThreatIntel-V1
