A recent feud between two ransomware groups, 0APT and KryBit, has led to the exposure of sensitive data from both parties. This unusual conflict between cybercriminals has provided a rare glimpse into their operations, potentially benefiting cybersecurity defenders. The Halcyon Ransomware Research Center has detailed this incident, highlighting the implications for both the attackers and those defending against them.
0APT, which emerged in January, initially gained attention by posting a list of nearly 200 supposed victims. However, this list was largely dismissed as fabricated due to a lack of evidence. In April, 0APT attempted to regain credibility by claiming attacks against other ransomware operators, including KryBit, Everest, and RansomHouse. Meanwhile, KryBit, which began operations in March, had established itself with legitimate ransomware-as-a-service offerings and a list of real victims.
The conflict escalated when 0APT published data allegedly belonging to Everest and RansomHouse, though the authenticity and impact of this data were questionable. In retaliation, KryBit exposed 0APT's infrastructure and personnel details, revealing the fabricated nature of 0APT's initial victim list. This exposure included operational data, access logs, and system files, effectively dismantling 0APT's credibility.
The fallout from this feud has left both groups in disarray, with KryBit maintaining defacement of 0APT's leak site. Such infighting among ransomware operators is not unprecedented, but the scale and public nature of this incident are notable. The exposure of tactics and infrastructure provides valuable intelligence for security professionals.
For defenders, the Halcyon Ransomware Research Center recommends vigilance against data staging and exfiltration, ensuring backup integrity, and deploying comprehensive anti-ransomware measures. While 0APT's victim list was fraudulent, KryBit and Everest remain legitimate threats, necessitating continued monitoring and preparedness against potential attacks.
Source: https://www.darkreading.com/threat-intelligence/feuding-ransomware-groups-leak-data