SUBJECT PROFILE
KryBit is an emerging RaaS operation that launched in late March 2026, offering affiliates an aggressive 80/20 revenue split with cross-platform ransomware builders for Windows, Linux, ESXi, and NAS devices. The group posted 10 legitimate victims within its first two weeks and engaged in a high-profile ransomware turf war with rival group 0APT in April 2026, in which KryBit successfully hacked back, defaced 0APT's infrastructure, and exposed its full operational dataset — revealing that 0APT's 190+ claimed victims were entirely fabricated. Despite active affiliate operations and staged victim data (10–250GB per victim, ransom demands $40K–$100K), KryBit had collected zero ransom payments as of mid-April 2026 per leaked wallet data. The group employs structured double-extortion with shadow copy deletion and TOR-based leak infrastructure.
Financial extortion via RaaS affiliate model targeting enterprises globally
OPERATIONAL HISTORY
Double extortion (encryption + data leak), shadow copy deletion (vssadmin delete shadows /all /quiet), process injection, defense evasion via obfuscation and registry key manipulation, credential access, cross-platform builder (Windows/Linux/ESXi/NAS), TOR-based DLS, T1490 inhibit system recovery, T1486 data encrypted for impact, T1070 indicator removal
KNOWN INFRASTRUCTURE
TOR hidden services (.onion DLS); six .onion domains exposed in April 2026 0APT hack; Tox communication handles for operators and affiliates; RECOVER-README.txt ransom notes; .KRYBIT file extension; YARA rules published at ransomware.live (date 2026-05-04); no confirmed infostealer component