The 0APT Ransomware Hoax: A New Threat Sounds a False Alarm

This edition of the Bitdefender Threat Debrief covers the latest developments in the threat landscape, including the rising group 0APT, the Notepad++ compromise, a recent healthcare breach, and more.

As ransomware continues to evolve, our goal with this monthly Bitdefender Threat Debrief is to help you stay ahead of the curve. To do this, we combine information from openly available sources (OSINT) - things like news reports and research – with data we gather by analyzing Data Leak Sites (DLSs), websites where ransomware groups post details about their victims. It is important to remember that we can't independently verify all of these claims but are confident in the trends we see over time.

For this month's report, we analyzed data from January 1 to January 31 and recorded a total of 831 claimed ransomware victims. This is a growth rate of nearly 10% compared to the victims claimed in January 2025.

Featured Story: The 0APT Ransomware Hoax: A New Threat Sounds a False Alarm

What Happened?

0APT is a ransomware group that was unheard of before 2026. We’ve now tracked a significant spike in the group’s activity as published victims rapidly piled up. In fact, 0APT claimed a total of 91 victims in just two days, with the majority of their victims falling into the transportation, technology, and financial services industries. The number of victims claimed far exceeds the total anticipated for not only an emerging ransomware group, but also for a leading ransomware group like Qilin. Even under the best circumstances, at the peak of their operations, Qilin could claim 24+ victims in one day. When considering these aspects, 0APT’s bold entry into the threat landscape appears highly suspicious and perhaps baseless. At the time of this release, 0APT’s victims reported thus far in February have also climbed within the first week to allegedly reach 90+ victims.

Is 0APT an APT or Ransomware Group?

Currently, there is no evidence to support that 0APT is an advanced persistent threat (APT). 0APT markets themselves as a ransomware group and lists a RaaS program page on their data leak site, encouraging interested penetration testers to apply for access. However, there is something unusual here: the cost to join the alleged RaaS is free, which creates further suspicion. RaaS programs tend to have an entry fee, and some groups set this price based on a subscription model whereas others have a fixed price. Visitors who wish to apply are redirected to a secure channel to start a chat with an admin.

Figure 1: Messaging on the 0APT data leak site that promotes free membership.

0APT describes themselves as “a politically neutral underground syndicate,” which in spite of any hidden motives, clashes with the geopolitical motivations often associated with advanced persistent threats.

Interestingly, 0APT’s posts include not just threats to leak victim data, but also repeated, overt language targeted towards discrediting the integrity of victim organizations, typically claiming they’ve violated some ethical boundary or guidance surrounding data protection.

The group offers victims who contact them to submit payment, a decryptor, and an agreement to delete the stolen files. However, this aspect should be assessed with great caution as no decryption tool may exist to begin with; the victims claimed are unsubstantiated, and there’s little evidence to support that a working, tested decryptor is available. There are also no screenshots or video recordings listed, which demonstrate the effectiveness of such a tool, a practice which has been observed with several ransomware groups.

What’s the Catalyst for These Significant Victim Claims?

In the past, Bitdefender Labs tracked multiple catalysts for rising victim claims, including revictimization, scraping an organization’s data from open-source sites, and simply put: ransom via scare tactics (when a threat actor states they have access but have not yet infiltrated an environment).

However, the most likely explanation for 0APT’s sudden uptick in ransomware victims per day points to inaccurate polling of infections from sandbox environments. Sandboxing is a technique that allows defenders and researchers to load malware in an isolated environment to analyze the sample and determine how it behaves in real time without putting other systems at risk. Once executed, the malware may call back to the attacker’s infrastructure, flagging that it has in fact been executed to infect a host, even though the target system is not an actual victim, but a clean environment set up to perform testing and analysis.

Is This Just a Mishap or a Timely Recruitment Strategy?

0APT’s claimed victims continue to rise, making some researchers deem 0APT’s actions intentional and rather pompous; their aim might be to gain more exposure and fame. This strategy, however, is a foolish endeavor. Any incompetencies linked to a threat actor can position them for failure and even disbandment as they could become a future target for larger threat groups wishing to eliminate them from the ecosystem entirely.

Trust and evidence of a group’s capabilities are essential when establishing partnerships. Zero times zero is still zero. If many of the reported 0APT victims are false victims, then there’s still nothing gained and the burden lies on 0APT to prove themselves in the near future if they wish for other threat actors making a name for themselves to join their ranks.

It is advised that organizations added as published victims evaluate claims of a 0APT compromise with caution and assess their digital footprint for potential data exposure as well as the environment their security teams manage for security research and analysis to identify and correct any gaps in need of remediation.

Other Notable Ransomware News

Now, let’s explore the notable news and findings since the last Threat Debrief.

• Clop returns to the Top 10 Groups: Clop claimed 90 victims in January, claiming their third largest number of victims claimed per month to date. Nearly half of their victims were comprised of organizations from the construction, technology, and financial services industries. The ransomware group is known for executing campaigns that leverage the timely exploitation of zero-day vulnerabilities. As a result, organizations are encouraged to adopt a proactive, structured approach to patch management and vulnerability treatment practices.
  
  
• RAMP falls after FBI-led takedown: RAMP infrastructure is no longer active following a joint law enforcement investigation. The RAMP forum, over four years old, was instrumental in allowing Russian networks to communicate and grow their ransomware operations. Now that RAMP has suffered the same fate as its predecessors, the XSS and Exploit forums, more questions have been raised surrounding its potential replacement or an evolution of the forum that may emerge in the near future. As law enforcement efforts to crack down on ransomware operations ramp up, OPSEC and defense evasion persist as critical parts of the cybercrime equation that can either make or break career criminals.
  
  
• Critical Notepad++ software updates are compromised: Recent reports establish that a threat actor has leveraged the compromise of Notepad++ to attack organizations in Asia and Central America. The threat actor, likely a state-sponsored group aligned with Chinese interests, executes these exploitation attempts to gain access to victim systems, conduct espionage, and deploy malware that disrupts business operations. The Notepad++ compromise may date back to June 2025, impacting versions of the software that precede version 8.9.1. Organizations using Notepad++ are advised to update it to the latest release. It’s strongly advised that these organizations enable firewall and IDS logging and implement auditing measures to monitor and assess Notepad++ activity. Bitdefender’s threat researchers and MDR teams regularly update GravityZone endpoint detection based on current and newly discovered signatures.
  
  
• FulCrumSec claims responsibility for major healthcare breach: FulCrumSec is a ransomware group focused on data extortion. The group was involved in leaking data from multiple victims around December 2025. FulCrumSec claims that a recent healthcare breach is one of “the most disturbing we’ve encountered, impacting 160,000+ ID-linked individuals and close to a million exposed patients.” The data leak resulted in the exposure of patient data, including photos documenting treatment, PII, and patient diagnoses. According to FulCrumSec, security flaws, including a failure to secure configuration files linked to hubs where patient data was stored and a lack of encryption, shaped the opportunity to attack. At the time of this release, FulCrumSec has claimed a total of 15 victims.
  
  
• Nitrogen ransomware faces decryption challenge: Nitrogen was recently exposed for a reported error in the decryption tool they provide to victims to reverse the encryption process. The error results from the use of a faulty public key derived from an overwriting process instead of a private key. The public key is generated for encryption that is performed on ESXi hosts. Once encrypted, victim files cannot be decrypted with the Nitrogen decryptor that references an invalid public key. Nitrogen’s blunder underscores a vital lesson: Ransomware groups cannot be trusted. Do not pay for decryptors. These criminals are not bound to ethics or some moral code. There’s no guarantee that a group will refuse to leak your sensitive data once they’re paid. And, the group may not even have the appropriate tools to reverse the damage done.

Top 10 Ransomware Families

Bitdefender's Threat Debrief analyzes data from ransomware data leak sites, where groups publicize their claimed number of compromised organizations. This approach provides valuable insights into the overall activity of the RaaS market. However, there is a trade-off: while it reflects attackers' self-proclaimed success, the information comes directly from criminals and may be unreliable. Additionally, this method only captures the number of victims claimed, not the actual financial impact of these attacks. Here are the Top 10 ransomware groups.

Top 10 Most Attacked Regions

Ransomware gangs prioritize targets where they can potentially squeeze the most money out of their victims. In many cases, this means focusing on developed countries with higher projected growth rates. Threat actors may also execute strategic attacks that unfold during geopolitical conflicts or periods of social unrest.

Taiwan and Malaysia joined the Top 10 Regions in January, surpassing Asian regions previously represented in the Top 10, such as Japan and Singapore. The ransomware groups Qilin and The Gentlemen targeted both Taiwan and Malaysia. And, Direwolf claimed multiple victims in Malaysia. The majority of the affected victims in Taiwan and Malaysia were organizations in the manufacturing industry. Here are the top 10 regions that took the biggest hit from ransomware attacks.

Top 10 Most Attacked Industries

Ransomware gangs may target organizations in critical infrastructure sectors, select other organizations that offer services tailored to consumers, or attack organizations that fall into both categories. Understanding the trends and ramifications associated with specific industries, and how specialized services and clientele are impacted is crucial for assessing risk. Here are the Top 10 industries affected by ransomware attacks.

MDR Ransomware Insights

Bitdefender's MDR Insights consolidates key findings each month captured from real-world incidents.

In January 2026, our MDR teams found that threat actor activity:

• Reinforces a clear reality: Modern ransomware is credential-led and tool-driven. Most critical attacks aren't “malware-first" anymore—they’re credential-first. MDR detects and intercepts credential dumping and privilege escalation before domain-wide compromises.

• Detects and interrupts credential dumping and privilege escalation before domain-wide compromises. And MDR also detects the other behaviors attackers rely on—lateral movement, remote tool abuse, and ransomware staging. 

Visit MDR and read the Bitdefender Ransomware white paper for more information on how to protect against ransomware.

About Bitdefender Threat Debrief

The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.

Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 180 technology brands have licensed and added Bitdefender technology to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discovers 400+ new threats each minute and validates 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape.

We would like to thank Bitdefenders Stefan Hanu, Mihai Leonte, Gabriel Macovei, and Andrei Mogage for their help with putting this report together.