The Weekly Breach Breakdown Podcast: Ransomware Groups Are Beefing, and Defenders Are Winning - S7E`17

Show Transcript

Welcome to the Identity Theft Resource Center's Weekly Breach Breakdown for June 5, 2026. I'm Tatiana Cuadras, Communications Assistant for the ITRC. Thanks to Sentilink for their continued support of the podcast and the ITRC. Each week, we break down the latest in data security and privacy, and this week, we have a story that's a little different. It's not about criminals targeting everyday people or businesses. It's about ransomware groups targeting each other. Grab your popcorn. 

According to a blog published by the Halcyon Ransomware Research Center, two ransomware groups, 0APT and KryBit, got into a public feud. And when it was all over, both sides had exposed each other's infrastructure, internal data, and operational secrets to the entire security community. Defenders everywhere got a front-row seat. 

Here's the background. Ransomware groups typically operate by breaking into organizations, stealing sensitive data, and then threatening to publish it unless a ransom is paid. They advertise their wins on dark web leak sites to pressure victims and build a reputation. It's a criminal business model, and like most businesses, reputation matters. 

That's exactly what makes 0APT's story stand out. Remember when I said reputation matters a few seconds ago? Well, back in January 2026, this ransomware group posted over 190 claimed victims on their leak site, which looked like a busy and successful operation. There was just one problem, researchers confirmed that not a single one of those organizations had actually been breached. 0APT was basically bluffing their way to credibility. In the cybercrime world, that's a bold move. It's also, apparently, a terrible one. 

KryBit, the other ransomware group, found out, and they were not impressed nor happy. They fired back by dumping 0APT's entire backend online, which includes internal files, operational records, and the code behind their whole setup. All of it available to the public. The access logs that were leaked are what proved the victims were fabricated in the first place, which is a bad look for 0APT. 0APT's leak site is now defaced and under KryBit's control, and 0APT is going to have to start from the ground up, with new infrastructure and a new identity just to have any real shot at getting back in the cybercriminal game. 

Now, here is the real news for us, when ransomware groups turn on each other, defenders win. Pretty surprising, right? Intelligence analyst Erika Totaro from the Halcyon Ransomware Research Center put it in these terms: gang feuds like this are actually a net positive for the security community. Getting an inside, unfiltered look at how these groups actually operate is exactly the kind of edge defenders don't usually get to see. To put this in relatable terms, imagine spending years trying to figure out how a magician pulled off a trick, searching everywhere and coming up empty, and then one day he posts a video breaking down every single secret. That's essentially what happened here. Now, It's clear that we can't count on ransomware groups self-destructing on a consistent schedule or a magician leaking all of his famous tricks, but when it happens? Take note and use it to your advantage. 

That said, let's be honest, the ransomware problem isn't going away anytime soon. If anything, it's getting bigger and a whole lot more creative. Researchers are tracking a major shift in how these attacks actually work, and it's worth paying attention to. More groups are dropping the "ransom" part altogether and going straight for your data, stealing it and threatening to leak it to the public with no encryption, no warning, just your data being taken from you and thrown out to the public eye.  

And while this particular story had some wins for the good guys, the bigger picture is still concerning. Ransomware-as-a-service operations are still an active threat, with new groups spinning up quickly and experienced ones constantly evolving. KryBit, for example, launched in late March 2026 and within its first two weeks already had 10 legitimate victims. Don’t let the drama between these two ransomware groups distract you, as there are plenty more groups just like them that are waiting for their next attack.  

The advice from researchers is this: 

Make sure that you are monitoring for unusual data exfiltration activity inside your network. 

Verify that your backups are tested and working. 

Make sure that you are strengthening your ransomware defenses.  

If you want to know more about how to protect your business or personal information, or think you have been the victim of identity theft, fraud, or a scam, you can speak with an expert ITRC advisor by phone or text at 888.400.5530, or live chat at www.idtheftcenter.org. 

Thanks again to Sentilink for their support of the ITRC and this podcast. Please hit the like button for this episode and subscribe wherever you listen to podcasts. I'm Tatiana Cuadras. Until then, thanks for listening.