Ransomware groups frequently emerge, striving for prominence in a competitive landscape marked by constant change and internal conflicts. However, it is uncommon for a group to appear, as 0APT did recently, asserting approximately 200 initial victims.
To date, researchers have found no proof that 0APT actually attacked any of its claimed victims, which include prominent organizations. The alleged victim data samples and the structure of placeholder file trees released by 0APT further raise questions about the group’s purported criminal activities.
While most indications point to a large-scale deception by the group, a portion of the threat posed by 0APT is legitimate. The group’s exaggerated claims might be a tactic to build momentum, achieve recognition, and draw in affiliates.
Cynthia Kaiser, senior vice president at Halcyon’s ransomware research center, stated that “While 0APT is probably bluffing about the victims it has already compromised, it is not bluffing on the technical capabilities of its actual ransomware.”
The group’s infrastructure is robust, featuring cryptographically strong and functional ransomware binaries, distinct code, and an organized affiliate panel. Even if most claimed victims are deemed fabricated by researchers, the core ransomware payload presents a real danger to any organization that encounters it.
The group’s extravagant claims highlight the chaotic nature of the ransomware landscape, where both researcher attention and widespread fear among potential victims—whether real or perceived—benefit criminal organizations vying for influence and collaborators.
0APT’s rapid emergence, claiming approximately 200 organizations as victims within its initial week online, drew the attention of several ransomware research firms. This led to reports from Halcyon and GuidePoint Security this week.
Researchers widely view the group’s initial assertions as deceptive. A similar pattern of claiming numerous victims without evidence was observed last year with other ransomware groups, such as Babuk2 and FunkSec, both of which later revealed verified victims.
Kaiser noted that “After those initial fake lists, legitimate victims began to appear as the groups attracted affiliates and evolved into fully functional ransomware-as-a-service organizations.”
Researchers at GuidePoint acknowledge that 0APT has the potential to become a serious issue, though they are more skeptical of the group’s current capabilities.
Justin Timothy, a principal threat intelligence consultant at GuidePoint, stated that 0APT’s encryptor is not particularly unique or remarkable compared to other ransomware.
He explained that “The ransomware encryptor is only one piece of the attack kill chain. Threat actors still need to be able to obtain initial access, escalate privilege, and move laterally, all while evading detection and endpoint detection and response. These aspects often require more skill and technical knowledge than creating encryption malware.”
Although 0APT might be operating a scam, it does not seem to be a temporary or unsophisticated operation.
According to Halcyon, the group’s alleged victims are opportunistically chosen, primarily from critical infrastructure and data-intensive sectors. Most of the claimed victims are located in the United States, with top targeted sectors including healthcare, professional services, technology, transportation and logistics, energy, and manufacturing.
0APT has continuously adjusted its list of alleged victims on its data-leak site. The site briefly went offline before reappearing earlier this week with a significantly reduced victim count.
Kaiser suggested that “The group’s early claims appear to focus more on gaining visibility and momentum, believing those will recruit affiliates faster than validity.”
While attracting affiliates and attention for future operations might motivate some of 0APT’s actions, cybercriminals often criticize such tactics once their deceptions are exposed, according to Jason Baker, a managing security consultant of threat intelligence at GuidePoint.
Baker commented that “That strategy was almost certainly shortsighted and undermined by 0APT’s fabrications, which render them an unattractive partner or destination for affiliates going forward. After all, if they’re willing to lie this brazenly about their victims and capabilities, why wouldn’t they lie to their affiliates as well?”
The composition of 0APT remains unknown, lacking any clear connection or similarity to other ransomware variants. However, the group is financially driven and communicates very aggressively, Kaiser noted.
She added, “While the operators appear to not be novices, there is no evidence of who is running the group or its exact origins.”
Halcyon, currently conducting technical analysis on the group, maintains that 0APT presents a genuine threat and will eventually target legitimate victims.
Kaiser stated, “Given that they are attracting attention and operating a capable encryptor, the potential is high that real victims may soon appear.” A strategic rebrand, such as removing all fabricated victims and beginning to list actual ones, even if only a few, would strongly indicate the group’s evolution into a serious operation.
