0APT Ransomware

0APT is a newly identified Ransomware-as-a-Service (RaaS) syndicate that emerged on January 28, 2026, with an unprecedented campaign compromising 71 organisations across multiple sectors within 48 hours. The group employs double extortion tactics, combining AES-256/Salsa20 file encryption with data exfiltration and public leak threats.

Threat Actor Description

0APT (pronounced "Zero-APT") is a financially motivated ransomware syndicate that explicitly distances itself from nation-state Advanced Persistent Threat actors. The group brands itself as a "politically neutral underground syndicate" focused purely on financial gain. Their ransom notes frame attacks as a "tax on security negligence" - psychological tactics designed to normalise payment and discourage victim resistance.

Group Characteristics

Attribute	Details
Group Name	0APT (Zero-APT)
First Observed	January 28, 2026
Operational Model	Ransomware-as-a-Service (RaaS)
Extortion Method	Double Extortion (Encryption + Data Leak)
Motivation	Financial - Explicitly non-political
Attribution	Unknown - Possible links to Haron ransomware (2021)
Victim Count (Jan 28-30)	71 confirmed organisations

Malware Characteristics

The 0APT "locker" malware is a crypto-ransomware strain written in C# targeting Windows environments with cross-platform capabilities. Analysis reveals the malware uses a hybrid encryption scheme combining Salsa20 stream cipher for file encryption with RSA-1024 for key protection. This differs from the AES-256 claim in ransom notes - a simplification for victims. The code shares technical fingerprints with Haron ransomware (2021), including the unusual trait of not appending extensions to encrypted files.

Technical Attribute	Value
Programming Language	C# (.NET)
Target Platform	Windows (primary), Linux/ESXi (reported)
File Encryption	Salsa20 stream cipher
Key Protection	RSA-1024
File Extension	None (files retain original names)
Ransom Note	HOW TO RESTORE YOUR FILES.TXT
Obfuscation	SmartAssembly (suspected), string encryption
Lineage	Technical similarities to Haron ransomware (2021)

Detailed Tactics, Techniques, and Procedures (TTPs)
 

Initial Access

0APT affiliates leverage multiple intrusion vectors through the RaaS model:

Credential Phishing: Sophisticated spear-phishing campaigns using phishing kits that mimic Okta/SSO login portals. Identified domains include myadyensso.com (Adyen), weworksso.com (WeWork), cnainsurancesso.com (CNA Insurance), and others. These pages hijack active sessions, bypassing MFA and providing administrative access.

Exposed Remote Services: Exploitation of RDP, VPNs, and other remote access services using stolen credentials from phishing or dark web purchases. Unpatched VPN appliances may also be targeted.

Pre-positioning: The rapid 48-hour campaign timing suggests victims may have been compromised earlier and simultaneously "detonated" at launch.

Execution & Lateral Movement

Post-exploitation follows standard ransomware playbooks:

• Internal reconnaissance to map networks, identify critical servers and backups
• Credential dumping from LSASS memory (likely Mimikatz or similar tools)
• Lateral movement via Microsoft Sysinternals PsExec and WMI
• Domain Group Policy abuse for enterprise-wide ransomware deployment
• Targeting of VMware ESXi and network storage for maximum impact

Defence Evasion

The malware employs multiple evasion techniques:

• Heavy obfuscation using SmartAssembly for C# binaries with string encryption
• Security software termination via taskkill/net stop commands
• Shadow copy deletion using vssadmin delete shadows /all /quiet
• Backup system targeting and destruction prior to encryption
• Process naming mimicking legitimate system files (e.g., svcHost.exe)
   

Command-and-Control

C2 infrastructure utilises:

• Dedicated C2 domains: approvalmechanism.com, commerceapprove.com, technicalposition.com
• Tor network for leak site operations and encrypted communications
• HTTPS/TLS encrypted channels for data exfiltration
   

Data Exfiltration

Pre-encryption data theft involves:

• Volumes ranging from 50GB to 3TB per victim
• Standard exfiltration tools (likely Rclone, FTP, cloud storage)
• Data archived and compressed before transfer
• Multi-day quiet exfiltration before ransomware detonation
   

Impact

Final impact phase includes:

• Salsa20 encryption deployed enterprise-wide simultaneously
• Ransom notes dropped with Tor site address and unique victim ID
• Countdown timers on leak site threatening data publication
• Cryptocurrency payment demands with short deadlines
   

MITRE ATT&CK Matrix

The following matrix maps observed and inferred 0APT techniques to the MITRE ATT&CK framework. Confidence levels: CONFIRMED (directly observed), HIGH (industry-standard for RaaS), MEDIUM (inferred from operational model).

Tactic	Technique ID	Description	Confidence
Initial Access	T1566.001	Spearphishing Attachment/Link - Okta SSO phishing kits	CONFIRMED
Initial Access	T1078	Valid Accounts - Stolen credentials for VPN/RDP	CONFIRMED
Initial Access	T1133	External Remote Services - RDP/VPN exploitation	HIGH
Execution	T1204.002	User Execution: Malicious File	CONFIRMED
Execution	T1059.001	PowerShell - Obfuscated script execution	HIGH
Execution	T1047	WMI - Remote execution	CONFIRMED
Persistence	T1547.001	Registry Run Keys/Startup Folder	MEDIUM
Persistence	T1053.005	Scheduled Task/Job	MEDIUM
Privilege Escalation	T1003	OS Credential Dumping - LSASS/Mimikatz	HIGH
Privilege Escalation	T1055	Process Injection	HIGH
Defence Evasion	T1027	Obfuscated Files - SmartAssembly, string encryption	CONFIRMED
Defence Evasion	T1562.001	Disable/Modify Tools - AV/EDR termination	HIGH
Defence Evasion	T1070	Indicator Removal - Log deletion	MEDIUM
Credential Access	T1003.001	LSASS Memory Dumping	HIGH
Credential Access	T1555	Credentials from Password Stores	MEDIUM
Discovery	T1135	Network Share Discovery	CONFIRMED
Discovery	T1083	File and Directory Discovery	CONFIRMED
Discovery	T1082	System Information Discovery	HIGH
Lateral Movement	T1021.002	SMB/Windows Admin Shares - PsExec	CONFIRMED
Lateral Movement	T1021.001	Remote Desktop Protocol	HIGH
Lateral Movement	T1570	Lateral Tool Transfer	HIGH
Collection	T1560	Archive Collected Data - ZIP/RAR	CONFIRMED
Collection	T1005	Data from Local System	CONFIRMED
Collection	T1039	Data from Network Shared Drive	CONFIRMED
Exfiltration	T1041	Exfiltration Over C2 Channel	CONFIRMED
Exfiltration	T1567	Exfiltration Over Web Service	HIGH
Command & Control	T1573	Encrypted Channel - HTTPS/Tor	CONFIRMED
Command & Control	T1071.001	Web Protocols	HIGH
Impact	T1486	Data Encrypted for Impact - Salsa20	CONFIRMED
Impact	T1490	Inhibit System Recovery - Shadow copy deletion	CONFIRMED
Impact	T1489	Service Stop - Security/database services	HIGH
Impact	T1485	Data Destruction (backup deletion)	CONFIRMED

Indicators of Compromise (IOCs)

The following IOCs have been validated and combined from multiple intelligence sources. Status indicates validation level.

Malware File Hash
 

Type	Value	Status
SHA-256	a28771c1e89c474cad0dcd22d8e5bd92e42d55fa99a8d8eb961525e75ebcd766	VALIDATED

Network Infrastructure

Tor Leak Site

Type	Value	Status
Onion Address	oaptxiyisljt2kv3we2we34kuudmqda7f2geffoylzpeo7ourhtz4dad.onion	CONFIRMED
Site Title	0APT | Command Ops	CONFIRMED
Web Server	NGINX 1.22.1	CONFIRMED

Phishing Domains (Initial Access)
 

Domain	Impersonating	Status
myadyensso.com	Adyen SSO/Okta Portal	CONFIRMED
weworksso.com	WeWork SSO Portal	CONFIRMED
centerspacesso.com	CenterSpace SSO Portal	CONFIRMED
cnainsurancesso.com	CNA Insurance SSO Portal	CONFIRMED
mycoldwellsso.com	Coldwell Banker SSO Portal	CONFIRMED

C2 Domains

Domain	Purpose	Status
approvalmechanism.com	Second-stage payload / C2	CONFIRMED
commerceapprove.com	C2 / Exfiltration endpoint	CONFIRMED
technicalposition.com	Second-stage / C2	CONFIRMED

Threat Actor Communication Channels
 

Platform	Identifier	Status
Tox Messenger	AE7FDDF4ADD95AC3DF29802662DA14C51E95A99992E8E087974AFE1A57 481E5381FE429F8BC8	CONFIRMED
Session Messenger	058818f5d84c39403b01ffa023a21b9fe118ffb237fd642c53e73944fb7ac02e6f	CONFIRMED

File & System Artifacts
 

Artifact Type	Value	Status
Ransom Note Filename	HOW TO RESTORE YOUR FILES.TXT	CONFIRMED
Suspicious Process Name	svcHost.exe (unusual path)	OBSERVED
File Extension	None (files retain original names)	CONFIRMED
Shadow Copy Deletion	vssadmin delete shadows /all /quiet	CONFIRMED

Detection & Mitigation Recommendations

Crystal Eye 5.5 (Red Piranha)

1. Secure external access (RDP/VPN + apps): Enforce MFA on RDP/VPN, patch exposed apps, block legacy protocols, and apply WAF rules to catch auth bypass / API abuse / injection attempts.
    
2. Privilege management: Rotate admin/MSP credentials, disable unused accounts, enforce least privilege for service accounts (web apps + DB), and monitor privilege escalation inside CE SIEM.
    
3. Execution control + kill-chain correlation: Use CEASR to block unknown binaries executing from %TEMP% / %APPDATA%, restrict PsExec/WMI remoting, and correlate ransomware chains like bcdedit + vssadmin + PsExec, including alerts for AV/service stops.
    
4. Network controls + segmentation: Block known C2/IP/domain indicators, restrict outbound HTTPS to unknown IPs, limit SMB/WinRM east-west movement, isolate admin workstations, and segment AD / file servers / DB servers / critical infra from general user networks.
5. Backup hardening + IR playbook automation: Use offline/immutable backups, restrict backup server access, detect shadow-copy deletion attempts, validate restores periodically, and trigger rapid SOAR actions (isolate hosts, block hashes/onion/IOCs, rotate credentials, notify SOC).

Worldwide Ransomware Victims by Country

The United States remained the primary hotspot for ransomware activity, accounting for 42.65% of all identified victims. That means well over two out of every five known cases this period hit U.S. based organisations, keeping it far ahead of any other single country in terms of observable exposure.

A strong second tier consisted of the United Kingdom (8.06%) and Canada (5.69%), followed by Italy and India (each 3.32%), Brazil (2.84%), and Spain and Germany (each 2.37%). Together, this bloc of mature and large economies forms the bulk of non-U.S. activity, reflecting big digital footprints, consistent incident disclosure, and attractive victim profiles for extortion operators.

A broader mid-band followed, led by Malaysia (1.9%), and a cluster of countries at 1.42% each - Switzerland, Taiwan, Netherlands, Czech Republic, South Africa, Japan, New Zealand, Mexico, France. These figures show that ransomware is firmly entrenched across Europe, Asia-Pacific, and the Americas, not just in North America.

Below that, a long tail of lower-volume geographies - including Vietnam, China, Israel, Bulgaria, Thailand (each 0.95%), and a wide spread of Morocco, Tanzania, Peru, Slovenia, Colombia, Kenya, Philippines, Finland, Senegal, United Arab Emirates, Singapore, Bahamas, Mauritius, Australia, Argentina, Paraguay, Belgium, Chile, Slovakia, Indonesia, Greece (each 0.47%) appeared only sporadically. Individually they contribute small fractions, but collectively they reinforce the pattern: ransomware remains a global problem, touching dozens of countries rather than being confined to a handful of headline markets.