Ransomware groups crop up like weeds, angling for striking positions in a crowded field rife with turnover, infighting and unbridled competition. Yet, they rarely emerge, as 0APT did late last month, claiming roughly 200 victims out of the gate.
Researchers have thus far seen no evidence confirming 0APT attacked any of its alleged victims, which includes high-profile organizations. Alleged victim data samples and the structure and size of placeholder file trees published by 0APT place further doubt on the group’s supposed criminal escapades.
Most signs suggest the group is running a massive hoax, but at least some of the threat 0APT poses is grounded in truth. The group’s inflated pretense may be a ruse to create a sense of momentum, gain recognition and attract affiliates.
“While 0APT is probably bluffing about the victims it has already compromised, it is not bluffing on the technical capabilities of its actual ransomware,” Cynthia Kaiser, senior vice president at Halcyon’s ransomware research center, told CyberScoop.
0APT’s infrastructure is sound, including cryptographically strong and fully operational ransomware binaries, unique code and a well organized panel for affiliates, she said. “Even if researchers assess most claimed victims as fabricated, the underlying ransomware payload represents genuine risk to any organization that encounters it.”
The group’s outlandish claims accentuates the messy state of ransomware, with researcher interest and widespread fear among potential victims — perceived or real — delivering benefits for criminal syndicates that compete for mindshare and co-conspirators.
0APT’s apparent swift rise with a massive alleged victim count that hovered around 200 organizations within its first week online caught the attention of multiple ransomware research firms, resulting in reports this week by Halcyon and GuidePoint Security.
Researchers roundly consider the group’s initial claims an act of deception. This pattern of claiming a high number of victims without substantiating evidence surfaced last year with other ransomware groups, including Babuk2 and FunkSec, which eventually disclosed confirmed victims.
“After those initial fake lists, we started to see legitimate victims as the gangs attracted affiliates and matured into fully functioning ransomware-as-a-service organizations,” Kaiser said.
GuidePoint researchers acknowledge 0APT could evolve into a genuine problem, but they are more dismissive of the group’s capabilities.
Justin Timothy, principal threat intelligence consultant at GuidePoint, said 0APT’s encryptor isn’t unique or noteworthy amongst its ransomware peers.
“The ransomware encryptor is only one piece of the attack kill chain,” he said. “Threat actors still need to be able to obtain initial access, escalate privilege, and move laterally all while evading detection and endpoint detection and response. These aspects can often take more skill and technical knowledge compared to the creation of encryption malware.”
While 0APT might be running a scam, it doesn’t appear to be a fly-by-night operation.
The group’s alleged victims are opportunistic and predominantly operate in critical infrastructure and data-rich sectors, according to Halcyon. Most of the claimed victims are based in the United States, and the top sectors targeted include health care, professional services, technology, transportation and logistics, energy and manufacturing.
0APT has been consistently adding and removing alleged victims from its data-leak site, which went offline briefly before returning earlier this week with a much lower victim count.
“The group’s early claims appear to focus more on gaining visibility and momentum, believing those will recruit affiliates faster than validity,” Kaiser said.
Attracting affiliates and attention for future operations could be driving some of 0APT’s behavior, but cybercriminals frequently deride such activities once the extent of their lies becomes widely known, said Jason Baker, managing security consultant of threat intelligence at GuidePoint.
“That strategy was almost certainly shortsighted and undermined by 0APTs fabrications, which render them an unattractive partner or destination for affiliates going forward,” Baker said. “After all, if they’re willing to lie this brazenly about their victims and capabilities, why wouldn’t they lie to their affiliates as well?”
The make-up of 0APT remains unknown, with no obvious lineage or overlap with other ransomware variants, but the group is financially motivated and very aggressive in communications, Kaiser said.
“While the operators appear to not be novices, we have no evidence of who is running the group or its exact origins,” she added.
Halcyon, which is developing technical analysis on the group, insists 0APT poses a genuine threat that will eventually ensnare legitimate victims.
“Given the fact that they are attracting attention and operating a capable encryptor, we see the potential as high that real victims may soon appear,” Kaiser said. A focused rebrand, such as removing all the fake victims and starting to list real victims, even only a few, will be a strong signal that the group has evolved into a serious operation.”
