By rssfeeds-admin .webp?ssl=1 "0APT Ransomware Group Claims 200 Victims but Fails to Deliver Any Real Data")
The group established a professional data leak site on a vanity TOR domain and marketed itself as Ransomware-as-a-Service to recruit affiliates.
However, security researchers quickly determined that nearly all claimed victims were fabricated, with no genuine stolen data available. The operation appears designed to defraud aspiring cybercriminals rather than extort legitimate organizations.
The 0APT group built elaborate infrastructure including a data leak site powered by NGINX servers, a functional RaaS panel, and chat systems for negotiations.
Each victim listing displayed file trees supposedly containing gigabytes of corporate data. When researchers tried downloading files, they discovered impossibly large sizes exceeding 4GB for file trees that should measure only kilobytes.
Downloads automatically terminated after five minutes. THE RAVEN FILE analysts identified this as a deliberate deception tactic creating the illusion of successful breaches without delivering real information.
Multiple cybersecurity firms including GuidePoint Security, Halcyon, and SOCRadar investigated and found no evidence that listed organizations suffered actual breaches.
Some claimed victims like Epworth HealthCare publicly stated they found no compromise.
Researchers discovered 0APT listed fictional entities such as “Metropolis City Municipal” inspired by DC Comics. The group’s claim rate far exceeded established ransomware operations, with reports showing 91 victims added in two days.
The RaaS Panel Deception Strategy
The operation’s true purpose emerged when researchers accessed the RaaS panel. The platform allowed affiliates to generate five ransomware samples per account, supporting Windows, Linux, and macOS.
Windows executables compiled using Rust measured 5.6MB, while Linux binaries were 1.3MB. These samples utilized encryption algorithms including AES256, Salsa20/ChaCha, and the rare Speck cipher associated with AI-generated code.
Generated ransomware appends the .0apt extension and drops README0apt.txt containing unique victim identifiers.
The operation recruited affiliates through prominent “JOIN RAAS” notifications, collecting fees from cybercriminals believing they joined a successful ecosystem.
One actor reportedly defrauded interested criminals of at least $85,000. The panel featured payment tracking, negotiation chat, admin support, and technical documentation.
While the malware functions when executed, the entire victim list was engineered to attract paying affiliates.
Security teams should confirm breach claims through official channels before responding to ransom demands.
Without genuine ransom notes, encrypted files, or direct communication, leak site listings should be considered potentially fabricated.
Organizations are advised to monitor for 0APT indicators of compromise, as functional ransomware binaries remain in circulation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post 0APT Ransomware Group Claims 200 Victims but Fails to Deliver Any Real Data appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.