This edition of the Bitdefender Threat Debrief covers the latest developments in the ransomware threat landscape, including a feud between 0APT and KryBit, updates on The Gentlemen’s ransomware, an APT masquerading as a ransomware group, and more.
As ransomware continues to evolve, our goal with this monthly Bitdefender Threat Debrief is to help you stay ahead of the curve. To do this, we combine information from openly available sources (OSINT) – things like news reports and research – with data we gather by analyzing Data Leak Sites (DLSs), websites where ransomware groups post details about their victims. It is important to remember that we can't independently verify all of these claims but are confident in the trends we see over time.
For this month's report, we analyzed data from April 1 to April 30 and recorded a total of 725 claimed ransomware victims.
In April, ransomware group 0APT, notorious for running a fake ransomware operation, breached KryBit group’s infrastructure. The group extracted information from KryBit’s RaaS panel that included staff names and account credentials, cryptocurrency wallet addresses, location data, ransom-negotiation correspondence, and more.
0APT threatened to expose KryBit, claiming that they would leak the affiliate list and other data to the FBI. 0APT’s plan, however, backfired when KryBit breached 0APT’s infrastructure, locking out 0APT staff, and leaking data that validated previous reports of 0APT running a faux ransomware operation.
KryBit is a ransomware group that emerged a couple of months ago. The ransomware group has claimed more than 25 victims to date, and victim demographics include several regions such as the United States, Germany, Austria, and Turkey.
KryBit operates under a Ransomware-as-a-Service business model. Affiliates who join their affiliate program keep 80% of profits from ransom payments. And, according to KryBit, their affiliates also receive access to encryptors compatible with ESXi, Linux, and Windows environments and 24/7 technical support.
0APT threatened to extort KryBit for $2 million, and KryBit responded by breaching 0APT’s infrastructure and exposing them as an imposter ransomware group. While it was evident from past reports, it became far clearer amidst the KryBit leak that 0APT did not have the capabilities or infrastructure to support a ransomware operation or hundreds of claimed attacks.
KryBit leaked logs indicating that the system used to manage 0APT’s site was incapable of these attacks, because it was a Droid mobile phone equipped with Parrot OS that was running off an SD card. This is a stark contrast from the resources most threat actors invest in, which is often comprised of a mix of dedicated Linux servers and cloud-based services.
It was also revealed that any download links added to 0APT’s data leak site were falsified, as clicking on an archive would simply pipe random data to a preset path. KryBit ultimately compromised 0APT’s site, locking out staff. 0APT has yet to make any public comments on KryBit’s breach or re-emerge with updates on their activity.
While KryBit’s infrastructure remains active, data leaked from KryBit’s RaaS admin panel was still exposed. This data included the names of admins and affiliates, as well as victim lists and account credentials.
This places KryBit at significant risk as this information could increase the odds of a law enforcement takedown. When a ransomware group feels this kind of pressure, their operations typically slow. There may be a lull in their activity followed by an attempt to rebrand.
KryBit also took a devastating reputational hit , as 0APT is not considered a capable, top-tier threat actor, yet they exfiltrated KryBit’s data. As a result, KryBit’s current standing is likely tarnished in the eyes of current rivals and potential affiliates.
Live Discussion: Ask questions about this ransomware feud and explore other recent ransomware developments during our live discussion on Ctrl-Alt-DECODE, Bitdefender’s newly established threat intelligence initiative.
Now, let’s explore the notable news and findings since the last Threat Debrief.
Here are the current Top 10 ransomware groups.
Here are the 10 regions most frequently attacked with ransomware for April 2026.
Thailand rejoins the Top 10 Regions: In April, Israel fell from the Top 10 region ranks and Thailand claimed the number 10 position. The Gentlemen remains as one of the leading ransomware groups that has attacked organizations based in Thailand, with a high victim demographic in that region compared to other groups.
Ransomware gangs prioritize targets where they can potentially squeeze the most money out of their victims. In many cases, this means focusing on developed countries with higher projected growth rates. Threat actors may also execute strategic attacks that unfold during geopolitical conflicts or periods of social unrest.
Here are the Top 10 industries affected by ransomware attacks during April 2026.
The Top 10 Industries findings have followed a similar pattern month to month, with manufacturing taking the lead and industries like technology, healthcare, and construction ranking in close succession. The government industry has returned to the Top 10 ranking for the second time this year.
Ransomware gangs may target organizations in critical infrastructure sectors, select other organizations that offer services tailored to consumers, or attack organizations that fall into both categories. Understanding the trends and ramifications of specific industries, and how specialized services and clientele are affected, is crucial for assessing risk.
As part of each month’s Threat Debrief, the Bitdefender MDR team shares insights and consolidates key findings captured from real-world incidents.
In April 2026, the MDR team found that significant hallmarks of threat actor activity included:
The MDR team also shared several key observations after analyzing patterns across multiple incidents:
“Attackers authenticate first, then escalate to the next phase to prepare for execution. Ransomware isn’t (run) in an instant; instead, it’s staged. Gaps in the visibility of the environment (e.g. any offline systems) limit a technology’s ability to detect key stages of an attack. MDR can stop it early if there’s sufficient visibility”.
Bitdefender MDR technology:
Visit our MDR page and read the Bitdefender Ransomware white paper for more information on how to protect against ransomware.
This research is part of Ctrl-Alt-DECODE, Bitdefender’s newly established threat intelligence initiative.
The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on X. You can find all previous debriefs here.
Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 180 technology brands have licensed and added Bitdefender technology to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discover 400+ new threats each minute and validate 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape.
We would like to thank Bitdefenders Stefan Hanu, Mihai Leonte, Gabriel Macovei, Andrei Mogage, and Nikki Salas for their help putting this report together.