A new ransomware syndicate called 0APT (pronounced “Zero-APT”) burst onto the scene on January 28, 2026, and immediately became the most active threat actor in the ecosystem. Within 48 hours, they compromised 71 organizations. By early February, they had claimed over 90 victims and accounted for nearly a quarter of all ransomware incidents globally.
This post breaks down their operations, TTPs, and provides actionable detection guidance.
Who is 0APT?
0APT operates as a Ransomware-as-a-Service (RaaS) syndicate. The name is deliberately ironic: they explicitly distance themselves from nation-state APTs, branding themselves as a “politically neutral underground syndicate” focused purely on profit.
Their ransom notes frame attacks as a “tax on security negligence” - psychological manipulation designed to normalize payment and shame victims into compliance.
| Attribute | Details |
|---|---|
| First Observed | January 28, 2026 |
| Operational Model | RaaS with affiliate network |
| Extortion Method | Double extortion (encryption + data leak) |
| Motivation | Financial, explicitly non-political |
| Possible Lineage | Technical similarities to Haron ransomware (2021) |
| Victim Count | 91+ (as of early February 2026) |
Attack Velocity
The numbers are staggering:
- 71 organizations compromised in 48 hours
- 61 attacks executed on January 30 alone
- 23.75% of all ransomware incidents in late January 2026
- 50GB to 3TB of data exfiltrated per victim
This velocity suggests either pre-positioned access (victims compromised earlier, detonated simultaneously) or a large, coordinated affiliate network hitting multiple targets at once.
Target Profile
0APT is sector-agnostic but shows concentration in:
- Healthcare: Metro General Hospital, Silverline Hospitals, dental clinics
- Finance: Silver City Bank, Quantum Financial Corp, Summit Financial Group, Unity Insurance
- Energy/Utilities: Delta Energy Corp, Solaris Renewable Energy, Blue Water Utilities
- Transportation: National Rail Network, City Transit Authority, Harbor Port Authority
- Technology: FutureTech AI, Nexus IT Services, Eclipse Software House
Critical infrastructure is clearly on the menu.
Technical Analysis
The Locker
The 0APT ransomware is written in C# targeting Windows, with reported Linux/ESXi variants.
| Technical Attribute | Value |
|---|---|
| Language | C# (.NET) |
| File Encryption | Salsa20 stream cipher |
| Key Protection | RSA-1024 |
| File Extension | None (files retain original names) |
| Ransom Note | HOW TO RESTORE YOUR FILES.TXT |
| Obfuscation | SmartAssembly, string encryption |
Notable quirk: Unlike most ransomware, 0APT does not append an extension to encrypted files. This is a trait shared with Haron ransomware from 2021, suggesting possible code reuse or developer overlap.
The ransom notes claim AES-256 encryption, but analysis reveals Salsa20 - a simplification for non-technical victims.
Initial Access
0APT affiliates use multiple entry vectors:
1. Credential Phishing (Primary)
Sophisticated SSO phishing kits targeting Okta, Microsoft Entra, and Google Workspace. Known phishing domains:
myadyensso[.]com (targeting Adyen)
weworksso[.]com (targeting WeWork)
cnainsurancesso[.]com (targeting CNA Insurance)These kits perform real-time session hijacking, capturing MFA tokens and establishing persistent access.
2. Exposed Remote Services
Exploitation of internet-facing RDP and VPNs using:
- Credentials purchased from initial access brokers
- Stolen credentials from phishing
- Unpatched VPN appliances
Execution and Lateral Movement
Post-access playbook follows standard ransomware TTPs:
- Reconnaissance: Map networks, identify domain controllers, backup servers, and high-value targets
- Credential Dumping: LSASS memory extraction (likely Mimikatz)
- Lateral Movement: PsExec and WMI for remote execution
- Privilege Escalation: Target domain admin accounts
- Deployment: Abuse Group Policy for enterprise-wide ransomware push
- Impact Maximization: Target VMware ESXi hosts and network storage
Defense Evasion
- SmartAssembly obfuscation for .NET binaries
- String encryption to evade static analysis
- AV/EDR termination via taskkill and net stop
- Shadow copy deletion:
vssadmin delete shadows /all /quiet - Process naming mimicking legitimate files (e.g., svcHost.exe)
Exfiltration
Data theft occurs days before encryption:
- Volumes: 50GB to 3TB per victim
- Tools: Likely Rclone, cloud storage services, or custom exfil
- Data is archived and compressed before transfer
- HTTPS/TLS encrypted channels to C2
Infrastructure
Command and Control
Known C2 domains:
approvalmechanism[.]com
commerceapprove[.]com
technicalposition[.]comLeak site and victim communications operate over Tor.
Leak Site Mechanics
- Countdown timers create artificial urgency
- Sample data published to demonstrate access
- Full dumps threatened if ransom not paid
- Victim-specific portals for “negotiation”
MITRE ATT&CK Mapping
| Tactic | Technique | Description |
|---|---|---|
| Initial Access | T1566.001 | Spearphishing (SSO phishing kits) |
| Initial Access | T1078 | Valid Accounts (stolen creds) |
| Initial Access | T1133 | External Remote Services (RDP/VPN) |
| Execution | T1047 | WMI |
| Execution | T1059.001 | PowerShell |
| Credential Access | T1003.001 | LSASS Memory Dumping |
| Lateral Movement | T1021.002 | SMB/Admin Shares (PsExec) |
| Defense Evasion | T1027 | Obfuscated Files |
| Defense Evasion | T1562.001 | Disable Security Tools |
| Exfiltration | T1041 | Exfil Over C2 Channel |
| Impact | T1486 | Data Encrypted for Impact |
| Impact | T1490 | Inhibit System Recovery |
Detection Opportunities
Network-Based
Monitor for:
- Connections to known C2 domains (see IOC section)
- Tor network traffic from servers/workstations
- Large outbound data transfers (especially to cloud storage)
- SMB traffic patterns consistent with PsExec lateral movement
- Unusual RDP connections between internal hosts
Endpoint-Based
Alert on:
- Mass file operations without extension changes (0APT signature)
- vssadmin delete shadows execution
- LSASS access from unsigned processes
- PowerShell with encoded commands
- New scheduled tasks or services on multiple hosts
- Processes named similar to system files but in wrong locations
Authentication
- Failed authentication spikes followed by successful logins
- Logins from unusual locations or at unusual times
- Service account usage from workstations
- New admin account creation
Indicators of Compromise
C2 Domains
approvalmechanism[.]com
commerceapprove[.]com
technicalposition[.]comPhishing Domains
myadyensso[.]com
weworksso[.]com
cnainsurancesso[.]comRansom Note
Filename: HOW TO RESTORE YOUR FILES.TXT
Behavioral
- Encrypted files with no extension change
- Salsa20 encryption patterns
- RSA-1024 key exchange
Recommendations
Immediate Actions
- Block IOCs at firewall, proxy, and DNS levels
- Hunt for phishing domains in email and proxy logs
- Review authentication logs for anomalies in the past 30 days
- Validate backup integrity - can you actually restore?
- Segment critical systems - domain controllers, backup servers, ESXi hosts
Strategic Hardening
- Implement phishing-resistant MFA (FIDO2, hardware keys) - SSO phishing kits can bypass SMS/TOTP
- Restrict PsExec and WMI to authorized admin workstations
- Deploy EDR with behavioral detection, not just signature-based
- Monitor outbound traffic for data exfiltration patterns
- Air-gap backups - ransomware crews specifically target backup infrastructure
User Awareness
0APT phishing is sophisticated. Train users to:
- Verify SSO login URLs character-by-character
- Report unexpected MFA prompts
- Question “IT support” calls requesting credentials
Conclusion
0APT’s explosive debut signals a new tempo in the ransomware ecosystem. Their affiliate model, combined with effective SSO phishing and proven ransomware tooling, makes them a serious threat to organizations of all sizes.
The silver lining: their TTPs are well-documented and detectable. Organizations with mature security programs and proper backup hygiene can defend against 0APT, but the window for preparation is narrowing.
Want hands-on training in ransomware defense? Check out the Endolum Certified Defense Analyst (ECDA) course for practical blue team skills.