Krybit
KryBit is a newly identified ransomware-as-a-service (RaaS) operation and ransomware gang. Reporting in the provided content describes it as a nascent and less well-documented group that may have only been active for a few weeks at the time of reporting, with no major threat intelligence or cybersecurity organization yet having published a dedicated report on it. Known alias in the content: krybit / KryBit. The group was mentioned among active ransomware groups generating victims across multiple sectors, including education and healthcare. The content also describes a public conflict between KryBit and rival ransomware group 0APT. In one phase of that dispute, 0APT claimed to have stolen KryBit data, threatened to expose people affiliated with KryBit, and leaked a sample that Barricade Cyber Solutions said contained plaintext credentials belonging to KryBit operators and affiliates, as well as five cryptocurrency wallet addresses. Barricade Cyber Solutions also reported finding no evidence of a paid ransom in the leaked sample. KryBit's website was reported down at the time, showing a temporary maintenance-style splash page. In a subsequent reported retaliation, KryBit allegedly compromised 0APT and exposed 0APT’s operational information, including access logs, system files, and PHP source code. The content characterizes this as criminal-on-criminal infighting within the ransomware ecosystem. No nation-state attribution is provided in the content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated vulnerabilities
1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as an active ransomware group operating during the period discussed, contributing to frequent victimization across sectors including education and healthcare.
A newly identified ransomware-as-a-service operation that retaliated against 0APT by compromising its infrastructure and exposing operational information.
A ransomware gang whose internal data, including operator and affiliate credentials and cryptocurrency wallet addresses, was allegedly stolen and leaked by 0APT.
A lesser-documented ransomware group targeted by 0APT. The leaked data allegedly included plaintext credentials and cryptocurrency wallet addresses belonging to Krybit operators and affiliates.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.