← Back to Cybersecurity News Center
Severity
MEDIUM
CVSS
5.0
Priority
0.150
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
Two ransomware groups, 0APT and KryBit, turned on each other and publicly leaked each other's internal data, including command-and-control infrastructure, hosting details, and operational methods. This specific incident did not target commercial organizations, but the leaked infrastructure data gives defenders an uncommon window into active ransomware tooling and tradecraft. Organizations should treat this as defensive intelligence to pre-block attack infrastructure before 0APT and KryBit launch campaigns against commercial targets. Confidence in specific technical details remains low; this item is sourced from a single trade publication with no corroboration from CISA, MITRE, or other authoritative bodies at this time.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
MEDIUM
Medium severity — monitor and assess
Actor Attribution
HIGH
0APT, KryBit
TTP Sophistication
HIGH
7 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
No specific products identified; exposure targets ransomware group infrastructure and operational tooling
Are You Exposed?
⚠
Your industry is targeted by 0APT, KryBit → Heightened risk
⚠
You use products/services from No specific products identified; exposure targets ransomware group infrastructure and operational tooling → Assess exposure
⚠
7 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
This incident does not represent a direct attack on commercial organizations, so immediate operational disruption is unlikely. The primary business relevance is intelligence value: leaked ransomware infrastructure details, if corroborated, could help security teams pre-block active attack infrastructure before it is used in campaigns. Organizations without mature threat intelligence programs may not benefit from this disclosure at all, and should wait for actionable, verified indicators before committing operational resources.
You Are Affected If
Your organization is an active target of 0APT or KryBit based on prior threat intelligence or industry vertical profiling
Your threat intelligence program ingests and acts on unverified IOCs from trade publications without corroboration controls
Your environment has gaps in detecting Valid Accounts abuse (T1078) or infrastructure-based C2 communication (T1584, T1583)
Your incident response playbooks have not been tested against ransomware actor TTPs mapped in MITRE ATT&CK
Board Talking Points
Two criminal ransomware groups publicly exposed each other's attack infrastructure, giving defenders a rare but unverified look at active ransomware tooling.
Security teams should monitor for verified indicators from this incident and use the disclosed TTPs to test existing ransomware defenses this quarter.
No action is required today, but failure to validate ransomware detection coverage leaves the organization exposed if these groups redirect attacks toward commercial targets.
Technical Analysis
0APT and KryBit, two ransomware threat actors, engaged in a public retaliatory exchange that resulted in each group leaking the other's internal operational data.
Disclosed material reportedly includes command-and-control (C2) endpoints, hosting provider information, internal communication channel identifiers, and operational tradecraft details.
MITRE ATT&CK techniques associated with this actor profile include: Gather Victim Org Information (T1591 ), Compromise Infrastructure (T1584 ), Phishing (T1566 ), Acquire Infrastructure (T1583 ), Valid Accounts (T1078 ), Data Encrypted for Impact (T1486 ), and Gather Victim Network Information (T1590 ).
No CVE, CWE, or CVSS data applies to this incident; the source-assigned CVSS score of 5.0 is not a valid application of CVSS methodology and is not adopted here. No specific commercial products are confirmed affected. Primary sourcing is a single Dark Reading article (Tier 3); no independent corroboration from CISA, MITRE ATT&CK, or NVD has been identified. All specific technical claims should be treated as low-confidence pending corroboration.
Action Checklist IR ENRICHED
Triage Priority:
DEFERRED
Escalate from deferred to urgent if a corroborating source (CISA advisory, MITRE ATT&CK Group entry, or established TI vendor report) publishes IOCs that match hits in your firewall, DNS, or proxy logs from the past 90 days, or if your environment shows any indicator of T1486 (Data Encrypted for Impact) or T1490 (Inhibit System Recovery) activity coinciding with the 0APT or KryBit dwell window.
1
Step 1: Awareness. Flag this incident to your threat intelligence team for tracking. Assign an analyst to monitor for corroborating reporting from CISA, MITRE, or established threat intelligence vendors before actioning specific IOCs.
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Establishing IR capability and threat intelligence intake processes
NIST IR-4 (Incident Handling)
NIST IR-5 (Incident Monitoring)
NIST SI-5 (Security Alerts, Advisories, and Directives)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Create a tracking ticket or shared document capturing the Dark Reading article URL, date, threat actor names (0APT, KryBit), and a confidence rating of LOW (single uncorroborated source). Set a recurring 48-hour check against CISA Known Exploited Vulnerabilities catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog), MITRE ATT&CK Group pages, and free threat intel feeds such as AlienVault OTX (otx.alienvault.com) filtered by 0APT or KryBit tags. Assign one analyst as DRI; document check-ins in the ticket.
Preserve Evidence
Before this step, capture the current state of your threat intel intake pipeline: screenshot or export any existing watchlist entries for 0APT or KryBit in your TIP or tracking system; note which IOC feeds your team currently subscribes to; and document the timestamp of first awareness so dwell-time calculations remain accurate if corroborated IOCs later match historical traffic.
2
Step 2: Detection. If any infrastructure indicators from the leaked data become available through corroborated sources, run them against firewall logs, DNS query logs, and proxy logs. Query for connections to any newly published C2 domains or IPs attributed to 0APT or KryBit. Do not action IOCs sourced solely from the single Dark Reading article without verification.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: Correlating indicators across log sources and validating before escalation
NIST SI-4 (System Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-2 (Event Logging)
NIST IR-5 (Incident Monitoring)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Once IOCs are corroborated, run the following on a Linux log aggregation host: grep -Ff iocs.txt /var/log/named/queries.log for DNS hits; grep -Ff iocs.txt /var/log/squid/access.log for proxy hits; and grep -Ff iocs.txt /var/log/firewall/traffic.log for perimeter hits (adjust paths to your distro). On Windows, query DNS debug logs at C:\Windows\System32\dns\dns.log using Select-String -Path 'C:\Windows\System32\dns\dns.log' -Pattern '<C2_domain>'. Use Zeek or Wireshark PCAP replay to scan for beaconing patterns (periodic outbound connections at fixed intervals) characteristic of the C2 infrastructure leaked in this incident. Sigma rule category: network_connection to known-bad IP ranges.
Preserve Evidence
Before querying, preserve and hash (SHA-256) the following log files to maintain forensic integrity per NIST AU-9 (Protection of Audit Information): perimeter firewall session logs covering the past 90 days (ransomware actors may have pre-positioned weeks prior), DNS recursive query logs from your internal resolver showing any lookups matching 0APT or KryBit C2 hostnames, proxy or web gateway logs showing CONNECT or GET requests to suspicious hosting providers named in the leaked infrastructure data, and NetFlow or IPFIX records if available — these will show beaconing cadence even if payload is encrypted. Document the log collection timestamp before querying so any matches can be scoped to a reliable detection window.
3
Step 3: Eradication. No specific patch or configuration remediation applies. If corroborated IOCs match activity in your environment, isolate affected hosts, revoke any potentially compromised credentials (T1078), and block identified C2 endpoints at the perimeter.
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication: Removing threat components and eliminating persistence mechanisms
NIST IR-4 (Incident Handling)
NIST AC-2 (Account Management)
NIST SI-3 (Malicious Code Protection)
CIS 5.3 (Disable Dormant Accounts)
CIS 5.4 (Restrict Administrator Privileges to Dedicated Administrator Accounts)
CIS 4.4 (Implement and Manage a Firewall on Servers)
Compensating Control
For host isolation without EDR: disconnect the NIC via Device Manager or run netsh interface set interface 'Ethernet' admin=disable on Windows; for Linux use ip link set eth0 down. For credential revocation tied to T1078 (Valid Accounts), run on Active Directory: Disable-ADAccount -Identity <username> for each account that authenticated from the affected host in the 90 days prior. Block corroborated 0APT/KryBit C2 IPs and domains at the perimeter firewall using an explicit DENY rule, and add them to your DNS RPZ (Response Policy Zone) if running BIND or Windows DNS. Document every blocked IOC with the corroboration source and timestamp.
Preserve Evidence
Before isolating hosts, collect full memory images using open-source tools (WinPmem for Windows, LiME for Linux) to preserve in-memory indicators of 0APT or KryBit tooling — ransomware staging artifacts, injected shellcode, and C2 callback threads are volatile and lost on reboot. Capture a full process list (Get-Process | Export-Csv on Windows; ps auxf > processes.txt on Linux), active network connections (netstat -anob > netstat.txt on Windows; ss -antp > netstat.txt on Linux), and scheduled tasks (schtasks /query /fo CSV /v > tasks.csv on Windows; crontab -l and /etc/cron.d/ on Linux) before any remediation action. These artifacts will show whether 0APT or KryBit persistence mechanisms (common ransomware TTPs: scheduled tasks, service installs, registry run keys at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) are present.
4
Step 4: Recovery. If exposure is confirmed, validate endpoint integrity, review authentication logs for Valid Accounts abuse (T1078), and confirm backup integrity given the Data Encrypted for Impact (T1486) technique profile associated with these actors.
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery: Restoring systems, verifying integrity, and confirming threat has been removed
NIST IR-4 (Incident Handling)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST AU-11 (Audit Record Retention)
NIST AU-3 (Content of Audit Records)
CIS 3.4 (Enforce Data Retention)
CIS 5.1 (Establish and Maintain an Inventory of Accounts)
Compensating Control
Validate endpoint integrity using Sysinternals Sigcheck (sigcheck -tv -vt c:\windows\system32\) to identify unsigned or tampered binaries that 0APT or KryBit tooling may have dropped. For backup integrity validation, compute SHA-256 hashes of backup catalog files and compare against pre-incident baselines before attempting any restore — ransomware actors using T1486 frequently target VSS (Volume Shadow Copies); verify VSS health with vssadmin list shadows on Windows. For T1078 authentication review, query Windows Security Event Log for Event ID 4624 (Successful Logon) and Event ID 4648 (Explicit Credential Use) filtered to accounts active on isolated hosts in the 90-day window preceding detection. On Linux, review /var/log/auth.log or /var/log/secure for sudo escalations and SSH logins from unexpected source IPs.
Preserve Evidence
Before restoring from backup, document the current state of all VSS snapshots (vssadmin list shadows > vss_inventory.txt) and verify they have not been deleted (a T1490 — Inhibit System Recovery indicator common to ransomware operators). Export Windows Security Event Log (Event IDs 4624, 4625, 4648, 4688, 4698) for the affected hosts covering the full suspected dwell period; these logs establish the authentication and execution timeline needed to scope credential revocation. Hash and archive these exports before restoration wipes them.
5
Step 5: Post-Incident. Use this event to test your ransomware playbook against the MITRE techniques mapped here. Validate that your detection stack covers T1584 (infrastructure compromise) and T1583 (acquired infrastructure), two techniques that are commonly under-detected in enterprise environments.
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: Lessons learned, detection improvement, and intelligence sharing
NIST IR-4 (Incident Handling)
NIST IR-3 (Incident Response Testing)
NIST IR-8 (Incident Response Plan)
NIST SI-4 (System Monitoring)
CIS 7.2 (Establish and Maintain a Remediation Process)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Run a tabletop exercise scoped to the 0APT/KryBit TTP profile: T1583 (Acquired Infrastructure), T1584 (Compromise Infrastructure), T1078 (Valid Accounts), T1486 (Data Encrypted for Impact), and T1490 (Inhibit System Recovery). Use free Sigma rules from the SigmaHQ repository (github.com/SigmaHQ/sigma) — search for rules covering proc_creation and net_connection categories mapped to ransomware staging. Deploy or tune Sysmon using the SwiftOnSecurity config (github.com/SwiftOnSecurity/sysmon-config) to ensure Event ID 3 (Network Connection) captures outbound connections to newly identified C2 infrastructure. Document detection gaps identified during the tabletop and assign owners with remediation timelines.
Preserve Evidence
Compile a post-incident artifact package before closing the ticket: the full IOC list with confidence ratings and corroboration sources, log query outputs from Step 2, account activity exports from Step 4, and a MITRE ATT&CK Navigator layer (https://mitre-attack.github.io/attack-navigator/) annotated with techniques observed or suspected in this incident. This package serves as the baseline for measuring detection improvement after playbook updates, and supports intelligence sharing with sector ISACs if 0APT or KryBit activity is later confirmed in your environment.
Recovery Guidance
If exposure to 0APT or KryBit infrastructure is confirmed, prioritize VSS and backup integrity validation before any restore operation, as ransomware operators using T1490 routinely destroy shadow copies to maximize impact. Monitor authentication logs (Windows Event IDs 4624, 4648; Linux /var/log/auth.log) for at least 30 days post-remediation for recurrence of T1078 Valid Accounts abuse, as credential reuse from a prior compromise is a common ransomware re-entry vector. Retain all collected forensic artifacts (memory images, log exports, network captures) for a minimum of 90 days in case corroborating intelligence later establishes a longer dwell period requiring scope revision.
Key Forensic Artifacts
DNS recursive query logs from internal resolvers: search for lookups to 0APT or KryBit C2 hostnames published in corroborated threat intelligence; ransomware actors using T1583/T1584 infrastructure typically use algorithmically generated or bulletproof-hosted domains resolvable only during active campaign windows.
Windows Security Event Log Event ID 4624 (Successful Logon) and 4648 (Explicit Credential Use): scope to accounts active on any host that made outbound connections to flagged IPs, covering 90 days prior to detection — T1078 Valid Accounts abuse is a primary initial access and lateral movement technique for both 0APT and KryBit based on the technique profile in this advisory.
Volume Shadow Copy inventory (vssadmin list shadows output): deletion of VSS snapshots is a near-universal indicator of ransomware pre-encryption staging (T1490 Inhibit System Recovery); absence of expected snapshots on affected hosts is itself a forensic artifact.
Perimeter firewall session logs and NetFlow/IPFIX records: look for periodic outbound connections (beaconing) at fixed intervals to IPs in hosting ranges associated with leaked 0APT or KryBit infrastructure; beaconing cadence analysis in Wireshark or Zeek is achievable without SIEM for a 2-person team.
Scheduled tasks and registry run keys: export schtasks /query /fo CSV /v output and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run from affected hosts — ransomware operators commonly install persistence via these mechanisms during the staging phase before encryption is triggered (T1053.005 Scheduled Task, T1547.001 Registry Run Keys).
Detection Guidance
No verified IOCs are available from authoritative sources at this time.
If corroborated C2 indicators are published by CISA or credible threat intelligence vendors, query DNS logs for resolution of associated domains, firewall logs for outbound connections to associated IPs, and EDR telemetry for process behavior consistent with T1486 (mass file writes, rapid file extension changes, backup or system file deletion) or T1078 (credential use from atypical endpoints or times).
Monitor CISA's Known Exploited Vulnerabilities catalog and MITRE ATT&CK for any updates attributing specific infrastructure to 0APT or KryBit.
Until corroboration exists, treat any published IOCs from this incident as low-confidence and verify before blocking to avoid false positives.
Indicators of Compromise (1)
Export as
Splunk SPL
KQL
Elastic
Copy All (1)
1 domain
Type Value Enrichment Context Conf.
⌘ DOMAIN
[not available — no verified IOCs published by authoritative sources at this time]
VT
US
Leaked C2 infrastructure from 0APT/KryBit conflict — awaiting corroboration before actionable IOCs can be reported
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
MITRE ATT&CK Hunting Queries (3)
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Ransomware activity
KQL Query Preview
Read-only — detection query only
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileRenamed"
| where FileName endswith_any (".encrypted", ".locked", ".crypto", ".crypt", ".enc", ".ransom")
| summarize RenamedFiles = count() by DeviceName, InitiatingProcessFileName, bin(Timestamp, 5m)
| where RenamedFiles > 20
| sort by RenamedFiles desc
Falcon API IOC Import Payload (1 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "[not available \u2014 no verified IOCs published by authoritative sources at this time]",
"source": "SCC Threat Intel",
"description": "Leaked C2 infrastructure from 0APT/KryBit conflict \u2014 awaiting corroboration before actionable IOCs can be reported",
"severity": "medium",
"action": "no_action",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-07-28T00:00:00Z"
}
]
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1591
T1584
T1566
T1583
T1078
T1486
+1
AT-2
CA-7
SC-7
SI-3
SI-4
SI-8
+7
MITRE ATT&CK Mapping
T1591
Gather Victim Org Information
reconnaissance
T1584
Compromise Infrastructure
resource-development
T1566
Phishing
initial-access
T1583
Acquire Infrastructure
resource-development
T1078
Valid Accounts
defense-evasion
T1486
Data Encrypted for Impact
impact
T1590
Gather Victim Network Information
reconnaissance
Guidance Disclaimer
