DARK Web Profile: 0APT Ransomware describes 0APT, also known as the 0APT Syndicate, as a ransomware-as-a-service operation that surfaced in late January 2026, with the group quickly listing hundreds of high‑profile victims on its dark web leak site. According to SOCRadar, 0APT first appeared publicly around 28 January 2026 and framed itself as a politically neutral business syndicate targeting major entities across multiple sectors.
The profile suggests a “spray and pray” approach, claiming victims in North America, Europe, Asia and the Middle East, and highlights high‑value targets such as Critical Infrastructure & Energy, Healthcare & Pharma, Finance & Banking, and Industrial & Manufacturing, though technical analyses cast doubt on the group’s sophistication.
It notes claims of using a hybrid encryption scheme, allegedly AES‑256 with Salsa20, and that negotiations occur via Session Messenger, while analysts have observed many 0‑byte files in data leaks, implying data may not be as stolen as claimed. The piece concludes that 0APT might be a fake operation or scam, and recommends rigorous data integrity checks and vulnerability hardening as defences.