KryBit Ransomware Strikes Back, Exposing 0APT

This edition of the Bitdefender Threat Debrief covers the latest developments in the ransomware threat landscape, including a feud between 0APT and KryBit, updates on The Gentlemen’s ransomware, an APT masquerading as a ransomware group, and more.

As ransomware continues to evolve, our goal with this monthly Bitdefender Threat Debrief is to help you stay ahead of the curve. To do this, we combine information from openly available sources (OSINT) – things like news reports and research – with data we gather by analyzing Data Leak Sites (DLSs), websites where ransomware groups post details about their victims. It is important to remember that we can't independently verify all of these claims but are confident in the trends we see over time.

For this month's report, we analyzed data from April 1 to April 30 and recorded a total of 725 claimed ransomware victims.

Featured Story: KryBit Ransomware Strikes Back, Exposing 0APT

What Happened?

In April, ransomware group 0APT, notorious for running a fake ransomware operation, breached KryBit group’s infrastructure. The group extracted information from KryBit’s RaaS panel that included staff names and account credentials, cryptocurrency wallet addresses, location data, ransom-negotiation correspondence, and more.

0APT threatened to expose KryBit, claiming that they would leak the affiliate list and other data to the FBI. 0APT’s plan, however, backfired when KryBit breached 0APT’s infrastructure, locking out 0APT staff, and leaking data that validated previous reports of 0APT running a faux ransomware operation.

Who is KryBit?

KryBit is a ransomware group that emerged a couple of months ago. The ransomware group has claimed more than 25 victims to date, and victim demographics include several regions such as the United States, Germany, Austria, and Turkey.

KryBit operates under a Ransomware-as-a-Service business model. Affiliates who join their affiliate program keep 80% of profits from ransom payments. And, according to KryBit, their affiliates also receive access to encryptors compatible with ESXi, Linux, and Windows environments and 24/7 technical support.

What Did KryBit Expose?

0APT threatened to extort KryBit for $2 million, and KryBit responded by breaching 0APT’s infrastructure and exposing them as an imposter ransomware group. While it was evident from past reports, it became far clearer amidst the KryBit leak that 0APT did not have the capabilities or infrastructure to support a ransomware operation or hundreds of claimed attacks.

KryBit leaked logs indicating that the system used to manage 0APT’s site was incapable of these attacks, because it was a Droid mobile phone equipped with Parrot OS that was running off an SD card. This is a stark contrast from the resources most threat actors invest in, which is often comprised of a mix of dedicated Linux servers and cloud-based services.

It was also revealed that any download links added to 0APT’s data leak site were falsified, as clicking on an archive would simply pipe random data to a preset path. KryBit ultimately compromised 0APT’s site, locking out staff. 0APT has yet to make any public comments on KryBit’s breach or re-emerge with updates on their activity.

How Was KryBit Ultimately Impacted?

While KryBit’s infrastructure remains active, data leaked from KryBit’s RaaS admin panel was still exposed. This data included the names of admins and affiliates, as well as victim lists and account credentials.

This places KryBit at significant risk as this information could increase the odds of a law enforcement takedown. When a ransomware group feels this kind of pressure, their operations typically slow. There may be a lull in their activity followed by an attempt to rebrand.

KryBit also took a devastating reputational hit , as 0APT is not considered a capable, top-tier threat actor, yet they exfiltrated KryBit’s data. As a result, KryBit’s current standing is likely tarnished in the eyes of current rivals and potential affiliates.

Live Discussion: Ask questions about this ransomware feud and explore other recent ransomware developments during our live discussion on Ctrl-Alt-DECODE, Bitdefender’s newly established threat intelligence initiative. 

Other Notable Ransomware News

Now, let’s explore the notable news and findings since the last Threat Debrief.

• New findings reveal that The Gentlemen’s victims likely exceed 1500: The Gentlemen repeatedly appears among the Top 10 Ransomware Groups ranks, rising amongst leading groups, and likely surpassing their 1,500 ransomware victims milestone. They have grown an affiliate network and continue to be known for establishing initial access after exploiting vulnerabilities in network edge devices.
  
  Security researchers recently uncovered information about the group’s infrastructure, including a SystemBC command and control server; this serves as the channel that allows the group to communicate back and forth between their own server and target networks. The use and configuration of the group’s infrastructure unveiled a range of network connections and targets, with victims nearing the thousands instead of the hundreds. This development emerged preceding the latest reports of the group’s infrastructure, hosted by 4VPS, being impacted by a data breach. At this time, The Gentlemen has released a statement to assert that no critical data has been exposed.
  
  
• MuddyWater attempts to blend in with ransomware group Chaos: The state-sponsored Iranian threat actor MuddyWater claimed to be affiliated with Chaos ransomware. Yet, MuddyWater’s targets and operations do not align with Chaos’ historical patterns of behavior. Chaos ransomware is a RaaS group that may be an offshoot of BlackSuit.
  
  For nearly a year, Chaos has primarily targeted organizations in the United States and has used ransomware to encrypt systems. MuddyWater, on the other hand, has launched attacks against organizations in government and engaged in espionage. While researchers identified several cases where MuddyWater linked to Chaos’ DLS and the threat actor has command and control domains with configurations matching Chaos infrastructure, there is no evidence of an affiliate relationship or MuddyWater’s deployment of Chaos ransomware. MuddyWater is most likely affiliating with Chaos to camouflage the nature of their operations (long-term espionage).
  
  
• Critical cPanel vulnerability is exploited in ransomware campaigns: Threat actors are exploiting CVE-2026-41940, an authentication flaw, to gain privileged access to affected system components, including those associated with cPanel, WHM (Web Host Manager), and WP2 (WordPress Squared). The threat actor can then take control of the servers, modify server settings, create accounts, and move files. The vulnerability affects all versions of cPanel and WHM after version 11.40, and WP Squared up to version 11.136.1.6.
  
  Organizations are advised to review vendor correspondence for recommendations on patching procedures and to check the current detection script available to assess the environment for indicators of compromise.
  
  
• Two former cybersecurity professionals receive prison sentences for their roles in ALPHV’s operations: The U.S. Department of Justice announced that former incident response manager Ryan Goldberg and former ransomware negotiator Kevin Martin each pleaded guilty to one count of conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion. Both parties received four year sentences for aiding ALPHV in extorting victims in ransomware attacks that occurred between April and October 2023. Goldberg and Martin also collaborated with another individual in the U.S., Angelo Martino, and submitted payment to ALPHV administrators to secure access to the RaaS platform and other malware. Martino will be sentenced later this year.

Top 10 Ransomware Families

 Here are the current Top 10 ransomware groups.
The Bitdefender Threat Debrief analyzes data from ransomware data leak sites, where groups publicize their claimed number of compromised organizations. This approach provides valuable insights into the overall activity of the RaaS market. However, there is a trade-off: while it reflects attackers' self-proclaimed success, the information comes directly from criminals and may be unreliable. Additionally, this method captures the number of victims claimed, not the actual financial impact of these attacks. 

Top 10 Most Attacked Regions

Here are the 10 regions most frequently attacked with ransomware for April 2026.

Thailand rejoins the Top 10 Regions: In April, Israel fell from the Top 10 region ranks and Thailand claimed the number 10 position. The Gentlemen remains as one of the leading ransomware groups that has attacked organizations based in Thailand, with a high victim demographic in that region compared to other groups.

Ransomware gangs prioritize targets where they can potentially squeeze the most money out of their victims. In many cases, this means focusing on developed countries with higher projected growth rates. Threat actors may also execute strategic attacks that unfold during geopolitical conflicts or periods of social unrest.

Top 10 Most Attacked Industries

Here are the Top 10 industries affected by ransomware attacks during April 2026.

The Top 10 Industries findings have followed a similar pattern month to month, with manufacturing taking the lead and industries like technology, healthcare, and construction ranking in close succession. The government industry has returned to the Top 10 ranking for the second time this year.

Ransomware gangs may target organizations in critical infrastructure sectors, select other organizations that offer services tailored to consumers, or attack organizations that fall into both categories. Understanding the trends and ramifications of specific industries, and how specialized services and clientele are affected, is crucial for assessing risk. 

Monthly MDR Insights

As part of each month’s Threat Debrief, the Bitdefender MDR team shares insights and consolidates key findings captured from real-world incidents.

In April 2026, the MDR team found that significant hallmarks of threat actor activity included:

• Compromised credentials via RDP/VPN
• Credential dumping through mechanisms like LSASS, NTDS, and LSA secrets
• Ransomware deployment attempts and data staging (SMB propagation and the use of archiving tools)
• Social engineering leading to user-executed compromise

The MDR team also shared several key observations after analyzing patterns across multiple incidents:

“Attackers authenticate first, then escalate to the next phase to prepare for execution. Ransomware isn’t (run) in an instant; instead, it’s staged. Gaps in the visibility of the environment (e.g. any offline systems) limit a technology’s ability to detect key stages of an attack. MDR can stop it early if there’s sufficient visibility”.

Bitdefender MDR technology:

• Detects unauthorized access using valid credentials
• Detects NTDS dumping, mimikatz, and privilege escalation attempts
• Blocks SMB propagation and staging activity
• Can contain social engineering compromise and data staging 

Visit our MDR page and read the Bitdefender Ransomware white paper for more information on how to protect against ransomware.

Watch & Read Ctrl-Alt-DECODE

This research is part of Ctrl-Alt-DECODE, Bitdefender’s newly established threat intelligence initiative. 

1. Subscribe to the Newsletter: Get exclusive threat intelligence, original research, and actionable advisories directly from Bitdefender Labs and MDR teams:
   https://www.linkedin.com/newsletters/7371216616015036416/
   
   
2. Watch the Live Series: See the expert ransomware analysis and ask your questions, live, on our next Ctrl-Alt-DECODE episode (or catch up with our previous episodes). 

About Bitdefender Threat Debrief

The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on X. You can find all previous debriefs here.

Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 180 technology brands have licensed and added Bitdefender technology to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discover 400+ new threats each minute and validate 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape.

We would like to thank Bitdefenders Stefan Hanu, Mihai Leonte, Gabriel Macovei, Andrei Mogage, and Nikki Salas for their help putting this report together.