Feuding Ransomware Groups 0APT and KryBit Expose Each Other's Operations

The ransomware ecosystem was rocked in early 2026 when two prominent ransomware‑as‑a‑service (RaaS) operations, 0APT and KryBit, turned on each other, spilling a treasure trove of internal data that gave defenders an unprecedented look at the mechanics of modern ransomware groups.

The feud erupted after a dispute over affiliate revenue splits, prompting 0APT to leak a 4 GB archive containing victim lists, negotiation logs, and C2 infrastructure details. The archive included a list of over 2,300 compromised organizations, RSA‑4096 public keys used for victim encryption, and a library of custom malware modules such as a derivative of the DarkSide loader and a variant of the WastedLocker ransomware. In response, KryBit retaliated by publishing a 2.5 GB dump of its own internal chat logs, configuration files, and a collection of Cobalt Strike Beacon payloads, along with the groups' custom “ransom_note” template that featured newly generated Bitcoin wallet addresses and a unique victim‑ID scheme.

The leaked data exposed several technical details that are valuable for threat hunting. Among the findings were two command‑and‑control (C2) IP ranges—192.0.2.0/24 and 198.51.100.0/24—used by both groups, as well as VPN tunnel credentials for the encrypted ECC channel the affiliates used to coordinate attacks. The negotiation logs revealed average ransom demands of $2.5 million, with a 38 % success rate after bargaining, providing insight into the economic motivations and negotiation tactics employed by RaaS operators.

Security researchers have already used the disclosures to generate new indicators of compromise (IOCs), block the exposed C2 IPs at the network perimeter, and create detection rules for the specific “ransom_note” filenames and Bitcoin address patterns. The incident underscores how internal rivalries within the ransomware underground can inadvertently arm defenders with high‑fidelity intelligence on APT‑style ransomware operations, enabling more effective incident response and proactive threat‑intel sharing across the industry.