What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Threat-Actor-Profile

0 sources verified·13 min read

By Lyrie Threat Intelligence·4/29/2026

The New Ransomware Disorder: How The Gentlemen, 0APT, and KryBit Rewrote the Q1 2026 Playbook

TL;DR: Q1 2026 produced 2,638 ransomware leak-site posts — a 22% jump over Q1 2025 — but raw numbers obscure the real story. A new group called The Gentlemen exploded onto the scene with a 588% quarter-over-quarter surge and a 1,570-machine SystemBC botnet. 0APT fabricated an entire victim list to fake legitimacy, then got burned when rival KryBit hacked them back and exposed the whole scheme. ShinyHunters — without deploying ransomware at all — hit ADT and others through pure identity compromise. The ransomware ecosystem is fracturing into three distinct tiers, and defenders who tune their detection to established groups will get blindsided by the new ones.

Background: The Q1 2026 Landscape at a Glance

By every headline metric, 2026 is a bad year for defenders. ZeroFox tracked at least 2,059 ransomware and digital extortion incidents in Q1 alone, with March accounting for 747 of them — the single highest monthly count on record. ReliaQuest's parallel analysis of public data-leak site posts puts the figure even higher: 2,638 posts across monitored RaaS operations, up 22% from 2,161 in Q1 2025. [1][2]

But aggregate numbers are a trap. They flatten the texture of what's actually happening. The Q1 2026 story is not "ransomware keeps growing" — it's a more interesting one about structural change in the threat ecosystem: established players losing market share, newcomers weaponizing reputation fraud, and a group sophisticated enough to quietly build a 1,570-machine corporate botnet while barely appearing in the press.

Three actors define that story: The Gentlemen, 0APT, and the 0APT/KryBit war that became the ransomware industry's first public mutual destruction event. A fourth, ShinyHunters, completes the picture by demonstrating that you don't need ransomware at all to extort at enterprise scale.

This is a full threat actor profile of all four — their origins, TTPs, infrastructure, and what they tell us about where the threat is going.

Actor 1: The Gentlemen — The Breakout You Weren't Watching

Origins and Forum Presence

The Gentlemen RaaS emerged in mid-2025. Unlike most new entrants who appear quietly and claim unverifiable victims, The Gentlemen ran what can only be described as a marketing campaign: prominent underground forum posts advertising affiliate slots, promoting multi-platform locker capabilities, and branding themselves as a premium operation for skilled penetration testers who want a cut of ransomware revenue. [3]

The name is not ironic. Forum posts carry a studied politeness. Affiliate communications reportedly emphasize "professional conduct." The X/Twitter account linked from ransom notes maintains a public-facing voice that presents victim exposure as a straightforward business consequence of non-payment, not a taunt. It's an unusual posture — and it appears to be working.

Technical Capabilities: Multi-OS Locker Platform

What distinguishes The Gentlemen is platform breadth matched to corporate reality. Their locker portfolio covers:

Windows — implemented in Go
Linux — implemented in Go
NAS devices — implemented in Go
BSD — implemented in Go
ESXi — separate locker implemented in C (notably, a distinct codebase rather than a port)

ESXi-specific ransomware has become a standard differentiator for mature RaaS operations — attacks against hypervisors can encrypt hundreds of virtual machines in minutes, making recovery orders of magnitude harder than endpoint-only infections. The Gentlemen's ESXi locker in C (rather than Go) suggests either a pre-existing codebase acquired from another operator, or development by a team with different skillsets working in parallel. Either interpretation implies more organizational depth than a typical startup RaaS. [3]

Affiliates also receive access to EDR-killing tooling and a proprietary multi-chain pivot infrastructure — their own proxy network rather than reliance on commodity tools like Cobalt Strike's native pivoting. Negotiations are conducted via Tox (decentralized, E2E encrypted P2P), removing the operator's central negotiation portal from any single point of law enforcement interdiction.

The SystemBC Campaign: 1,570 Victims Behind One C2

In April 2026, Check Point Research published a DFIR report on an incident response engagement involving a Gentlemen affiliate. During the intrusion, the affiliate deployed SystemBC — a proxy malware long associated with human-operated ransomware operations, historically seen in Ryuk and Dridex campaigns. SystemBC establishes a persistent SOCKS5 tunnel between the victim network and a C2 server, enabling encrypted lateral movement, payload staging, and data exfiltration through a single encrypted channel that evades many network detection signatures. [3]

The significant detail: when Check Point analysts pivoted to the relevant SystemBC C2 server, they found over 1,570 victim entries — a botnet of machines across corporate and organizational environments waiting for the operator's next move. This is a staging model: The Gentlemen affiliates appear to build large access inventories before deploying lockers, consistent with access-broker partnerships and a deliberate timing strategy to maximize impact per operation.

When SystemBC deployment was blocked by the target environment's defenses, the affiliate shifted to alternative C2 channels and established persistence using legitimate remote desktop and remote access software — a hallmark of adaptable, human-operated operators who have backup plans. [4]

Victim Count: 320+ Public, 1,570+ Real

The Gentlemen's public leak site claims 320+ victims, with the majority (240) occurring in the first quarter of 2026 — a 588% quarter-over-quarter increase from Q4 2025 [2]. The SystemBC C2 data suggests the real operational footprint is 5x larger than what appears on their leak site.

Target profile: Corporate and organizational environments. No evidence of deliberate healthcare or critical infrastructure targeting (yet), but the ESXi capability and access-broker infrastructure suggests they are capable of pivoting to any sector.

Actor 2: 0APT — The Ransomware Group That Never Was (And Then Became Something Stranger)

January 2026: The 190-Victim Blitz

On January 29, 2026, a new dark web leak site announced the arrival of 0APT Ransomware-as-a-Service. Within the first week, the site posted 190+ victim claims spanning critical infrastructure, healthcare, finance, and manufacturing — sectors designed to impress potential affiliates and security researchers simultaneously. [5]

The claims fell apart under scrutiny almost immediately. Security researchers attempting to verify any of the leaked data found inconsistencies: no corroborating breach reports from claimed victims, no verifiable sample files, no dark web chatter from buyers. The working hypothesis was that 0APT had fabricated its entire portfolio to generate affiliate interest — essentially lying about its customer list to get its business off the ground.

Halcyon's Ransomware Research Center confirmed this was indeed the case. But they didn't know how confirmed until April. [5]

March–April: The Turf War

By late March 2026, KryBit RaaS had emerged as a functional operation — not large, but legitimate. KryBit offered builders for Windows, Linux, ESXi, and NAS devices under an 80/20 affiliate model (affiliates keep 80%, operator keeps 20%) with an aggressive recruitment posture. Within two weeks, KryBit claimed 10 real victims, with ransom demands between $40,000 and $100,000 and 10–250GB of exfiltrated data per victim. [6]

On April 13, 2026, 0APT re-emerged with a surprise move: it posted what it claimed were the operational files of KryBit, Everest Group, and RansomHouse — three competing ransomware operations — on its own leak site, deleting all previous fabricated victim claims in the process. The play was audacious: if you can't build a victim list, hack other criminals and become the leak site for the ransomware industry itself. [5][6]

The Everest data appeared partially legitimate — an SQL database containing encoded and hashed publication and user data from January to September 2025, with one administrator account created August 29, 2025. Everest has not publicly responded. RansomHouse data claimed was not included in the actual leak and likely wasn't impacted.

The KryBit data was real and devastating. The leaked administrator panel exposed:

KryBit's two primary operators (KRYBIT and GREP)
All 5 affiliates with their operational details
Victim negotiation histories
Ransom payment status for all 20 active targets
Full exfiltration metadata per victim

April 14–15: KryBit Strikes Back

KryBit did not file a police report.

On April 14, 2026, KryBit gained full administrative access to 0APT's servers and defaced the 0APT leak site with a message: "Next time, don't play with the big boys." On April 15, KryBit published the complete 0APT operational dataset — including full access logs, PHP source code, and system files. [6][7]

The access logs confirmed what researchers had suspected: all 190+ victims claimed by 0APT in January 2026 were entirely fabricated. No data was ever exfiltrated from any of the listed victims. The operation had zero legitimate activity.

The logs also revealed the infrastructure powering 0APT's leak site: an AnLinux-Parrot OS environment pushing all content via an Android phone's internal SD card. A threat actor claiming hundreds of victims in critical infrastructure was running their entire dark web presence off a mobile device's storage. [7]

As of late April 2026, the 0APT leak site remains defaced by KryBit. 0APT has been unable to recover. Both operations are now expected to rebuild and rebrand.

What 0APT Actually Built (Despite Everything)

Halcyon's prior research confirmed that 0APT did build functional ransomware encryptors for both Windows and Linux. The group had technical competence in payload development — its failure was entirely operational: no actual intrusion capability, no affiliate network, and a reputation strategy that backfired catastrophically. [5]

Actor 3: ShinyHunters — Ransomware Without the Ransomware

Identity-First, SaaS-Native Extortion

ShinyHunters sits in a different category entirely. Originally known as a data theft and resale group, the operation has evolved into a full extortion apparatus — one that achieves enterprise-scale impact without deploying a single encryptor. On April 24, 2026, ShinyHunters publicly claimed responsibility for a breach of ADT, Inc. (adt.com), the largest residential security company in the United States. [8]

The ShinyHunters playbook: compromise identity infrastructure, move laterally through SaaS platforms using legitimate credentials, exfiltrate data, and threaten to publish. No encryption required. No decryption key to negotiate. The pressure point is reputational and regulatory — publish the data, and the company faces GDPR/CCPA penalties, customer notification obligations, and brand damage.

This model is increasingly attractive to operators because it removes the most technically complex and legally detectable phase of ransomware: the encryption event. Encrypted files generate incident response alarms, trigger cyber insurance clauses, and leave forensic evidence. Stolen data — if exfiltrated quietly — may not trigger detection until the threat actor publishes it.

Connection to Scattered Spider / UNC3944

ShinyHunters is publicly linked to Scattered Spider (also tracked as UNC3944, Octo Tempest, Storm-0875, Muddled Libra, and Scatter Swine) — a primarily English-speaking collective known for IT help desk social engineering, MFA bombing, and SIM swapping to hijack privileged accounts. In April 2026, a senior member of Scattered Spider, 24-year-old British national Tyler Robert Buchanan ("Tylerb"), pleaded guilty to wire fraud conspiracy and aggravated identity theft in connection with a series of text-message phishing campaigns. [9]

The plea confirms the group's operational continuity despite law enforcement pressure: others remain active, and the ShinyHunters ADT breach demonstrates that the operation is still generating high-profile results.

IOCs / Indicators

The Gentlemen — SystemBC C2 Infrastructure

SystemBC samples associated with this campaign exhibit hardcoded C2 over TCP 4000–4200
Go-compiled locker samples: double-extension pattern [original_extension].[8_random_chars]
Ransom note references X/Twitter handle (currently active); Tox ID for negotiations
ESXi locker: C-compiled ELF targeting /vmfs/volumes/

KryBit (Post-Breach)

Infrastructure rotation expected — all previously observed domains and IPs should be treated as burned
Targets Windows, Linux, ESXi, NAS — builders confirmed operational as of April 12, 2026
Affiliate model: 80/20 split, opportunistic targeting, ransom demands $40K–$100K

ShinyHunters / UNC3944 TTPs

Initial access: IT help desk social engineering, SIM swap, MFA fatigue (push bombing)
Lateral movement: Okta admin console abuse, Azure AD/Entra ID session hijacking
Exfiltration: AWS S3 staging, Mega.nz, cloud-synced SaaS export APIs
Detection: Look for anomalous Okta systemLog events, unexpected AdministerPolicies grants, off-hours SaaS bulk data export events

0APT

Encryptors confirmed functional but all victim claims fabricated — no legitimate compromise activity observed
Infrastructure destroyed by KryBit — operation considered defunct pending rebrand

Lyrie Take

The ransomware ecosystem is becoming a three-tier market, and most defenses are tuned for the wrong tier.

Tier 1: Established High-Volume RaaS (Akira, Qilin, LockBit remnants) — These are well-documented. YARA rules exist. CISA advisories exist. Your SOC is probably looking for them. Threat volume is declining as law enforcement and insurance pressure pushes up operational costs.

Tier 2: Capable Newcomers (The Gentlemen) — This is where the real risk is accumulating. These groups have legitimate technical depth — multi-OS lockers, EDR killers, SystemBC botnet infrastructure — but limited public exposure. Security teams that base detection on "known bad" signatures will miss them entirely during the initial intrusion phase. The 1,570-machine SystemBC C2 data is the tell: The Gentlemen had built that staging capability before anyone was paying attention.

Tier 3: Reputation and Extortion Plays (0APT, ShinyHunters) — These actors either lack encryption capability (0APT) or choose not to use it (ShinyHunters). Defenses focused on detecting ransomware encryption events miss both entirely. The ShinyHunters model is particularly dangerous because the attack is complete the moment data is exfiltrated — encryption, detection, response, and negotiation are all eliminated from the attacker's risk profile.

Where Lyrie operates: Autonomous detection at machine speed matters most in the gap between Tier 2 intrusion and Tier 3 extortion demand. By the time a human analyst identifies an anomalous Okta session on a Friday evening, the data is already uploaded to Mega. Lyrie's behavioral analysis closes that window by detecting the pattern of access — unusual auth source, credential-reuse signals, SaaS export anomalies — not the encryption event that has already ceased to be the primary threat indicator.

Defender Playbook

Against The Gentlemen (and SystemBC)

1. Hunt SystemBC artifacts actively — TCP connections on ports 4000–4200 to unfamiliar external IPs, SOCKS5 tunnel establishment from internal servers, process injection into svchost.exe or explorer.exe

2. Monitor for EDR process termination events — particularly around Windows Defender, CrowdStrike Falcon, SentinelOne agent processes being killed or suspended

3. ESXi: Restrict management interface access — SSH access should be from jump hosts only; log all ESXi vim-cmd and esxcli invocations

4. Tox C2 communications — Block Tox protocol traffic at network boundary; flag DNS queries to .tox.chat or bootstrap.dht.c0.io

5. Multi-OS backup segregation — Ensure backup infrastructure for NAS and Linux servers is completely air-gapped from Windows domain authentication

Against ShinyHunters / UNC3944

1. FIDO2 hardware keys for IT help desk workflows — SIM swap and push bombing are defeated by phishing-resistant MFA; this is table stakes now

2. Okta FastPass + device trust — Enforce device posture checks on all admin-level Okta sessions; alert on admin grants from unmanaged devices

3. Monitor bulk SaaS export events — Google Workspace Vault exports, Microsoft 365 Compliance Center e-discovery, Salesforce data exports from new or unusual accounts

4. AWS S3 GetObject spike detection — Data staging before exfiltration often manifests as unexpected spikes in S3 GetObject API calls from internal principals

5. Entra ID / Azure AD audit log forwarding — Real-time SIEM ingestion of AuditLogs and SignInLogs; alert on ConditionalAccessPolicy modifications and new OAuth app grants

Against Fake-Victim Extortion (0APT-style)

1. Verify breach claims before paying — Any extortion demand should be met with a request for proof-of-data: demand a specific internal file that could only exist in your environment. 0APT-style operations collapse under this challenge

2. Cyber insurance notification timing — Fake leak claims that trigger a policy notification without a real breach can create unnecessary regulatory exposure; consult counsel before acting on unverified claims

3. Dark web monitoring for your brand — You want to know when your organization appears on a leak site before your customers do; dark web monitoring with alert SLAs under 4 hours is now baseline

Sources

1. ZeroFox Q1 2026 Ransomware & Digital Extortion Report — at least 2,059 R&DE incidents in Q1 2026, March: 747 incidents — April 2026

2. ReliaQuest Threat Spotlight: Ransomware and Cyber Extortion in Q1 2026 — 2,638 leak posts, +22% YoY; The Gentlemen +588% QoQ — April 27, 2026 (reliaquest.com)

3. Check Point Research: DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy — multi-OS locker portfolio, 1,570+ SystemBC victims, Go+C architecture — April 20, 2026 (research.checkpoint.com)

4. Infosecurity Magazine: The Gentlemen Ransomware Expands With Rapid Affiliate Growth — SystemBC blocking, pivot to RDP/remote access software — April 23, 2026 (infosecurity-magazine.com)

5. Halcyon Ransomware Research Center: 0APT vs. KryBit Ransomware Actors List Opposing Operators as Victims — full timeline, fabricated victims confirmed, Everest SQL DB leak — April 2026 (halcyon.ai)

6. Dark Reading: Feuding Ransomware Groups Leak Each Other's Data — KryBit 80/20 model, admin panel leak, 20 victims, $40K–$100K demands — April 28, 2026 (darkreading.com)

7. Infosecurity Magazine: Ransomware Turf War as 0APT and KryBit Groups Trade Blows — Android SD card infrastructure, KryBit defacement, Oliver Newbury quote — April 28, 2026 (infosecurity-magazine.com)

8. DeXpose: ShinyHunters Launch Ransomware Attack on ADT, Inc. — April 24, 2026 breach claim — April 2026 (dexpose.io)

9. KrebsOnSecurity: Scattered Spider Member 'Tylerb' Pleads Guilty — Tyler Robert Buchanan, wire fraud conspiracy, aggravated identity theft — April 2026 (krebsonsecurity.com)

Lyrie.ai Cyber Research Division — Senior Analyst Desk