Skip to main content
Emerging ThreatsMalware & Ransomware

Ransomware Groups Clash in Turf War, Exposing Each Other's Operations

Dark alleyway with defaced computer screen displaying bold message.

“Next time, don’t play with the big boys,” KryBit wrote when defacing 0APT’s leak site, according to Halcyon.

0APT's initial provocation against KryBit, RansomHouse, and Everest Group

Halcyon reports that the confrontation began when 0APT published claims on its leak site asserting the “scalps” of three ransomware operations: newcomer KryBit and the more established RansomHouse and Everest Group. That post exposed operational material for KryBit and encoded and hashed publication and user data for Everest Group. RansomHouse was also named by 0APT but, in the sequence Halcyon describes, did not figure in the immediate reprisals.

KryBit's leak: administrators, affiliates, victims, and ransom figures

According to Halcyon, 0APT’s initial leak included KryBit’s administrator panel and negotiation records covering activity between 28 March 2026 and 12 April 2026. At the time of the leak KryBit reportedly had two administrators, five affiliates, and a roster of 20 potential victims. For each victim, data exfiltrated ranged between 10–250 GB, and ransom demands sat between $40,000 and $100,000.

KryBit's counterstrike: full 0APT operational data exposed

KryBit answered by breaching 0APT and posting the full 0APT operational data set the following day, Halcyon says. The package included full access logs, PHP source code, and system files. The access logs allegedly showed that the "190+ victims" 0APT had posted in January 2026 were fabricated and that no data had been exfiltrated from those listed victims. Halcyon also reports that 0APT’s leak-site infrastructure was running on an AnLinux-Parrot OS and that content delivery was being pushed via an Android phone’s internal SD card. As of the report, 0APT had not recovered control and KryBit maintained the site defacement.

Halcyon's assessment and Oliver Newbury's view on operational instability

Halcyon concluded that the extensive mutual leaks will likely force operators to rebuild, rebrand, and spin up new infrastructure “over the next few weeks to months” to remain active. Halcyon’s chief strategy officer, Oliver Newbury, framed the tit-for-tat as symptomatic of financial stress among ransomware groups. Newbury said, “These groups depend on credibility to survive, so when that starts to crack, rivals move fast to expose it.” He added that adversaries are now disrupting each other’s operations in real time by taking over infrastructure and undermining campaigns, producing instability without creating safety: “The ecosystem doesn’t shrink, it reshapes, often becoming harder to predict in the process.”

What this means for technologists, affected enterprises, and ransomware operators

  • Technologists and security teams: The exposed technical details—full access logs, PHP source code, system files, and evidence of lightweight hosting (AnLinux-Parrot OS and an Android SD card)—underscore how operational weaknesses can be leveraged by rival actors. Teams will need to verify whether any infrastructure details revealed in the leaks overlap with observed attacker behavior in their environments.
  • Affected enterprises and potential victims: The published negotiation data that Halcyon describes—showing exfiltration volumes of 10–250 GB and demands of $40,000–$100,000—gives a concrete snapshot of the scale and pricing facing the 20 KryBit victims in the leak. Organizations should assume that exposed negotiation or victim lists could be reshuffled into new campaigns if operators rebrand or affiliates migrate.
  • Ransomware operators and affiliates: Halcyon’s reporting suggests operators must now rotate leaked operational components or rebuild entirely to maintain credibility and functionality. Everest Group, despite having encoded and hashed data disclosed by 0APT, had not publicly retaliated in the exchange described, while both KryBit and 0APT appear to be materially disrupted.

The episode offers a narrow but vivid window into a ransomware marketplace under pressure. Chainalysis data cited by Halcyon underlines that pressure: crypto-payments to ransomware actors fell 8% year over year in 2025 to $820 million, even as the number of attacks rose 50%. Those financial strains help explain why credibility—and the public appearance of operational success—can become a target in and of itself. Whether the immediate fallout forces a sustained contraction, or merely a rapid reshaping as Newbury warns, remains a question the leaks themselves cannot yet answer.

Original story