How 0apt is Using Random Noise to Fake a Ransomware Empire

pWhen the group calling itself 0apt surfaced on the dark web earlier this month the numbers were a gut punch Usually a new ransomware operation builds its name slowly one victim at a time 0apt took a shortcut by posting a list of 190 companies all at once a hit list that covered almost every major industryppBut as we started checking the groups claims we found something strange While the group initially populated its site with a string of lowtier nameless garbage companies it has recently pivoted to a much more dangerous game The list now features some of the worlds most recognizable corporate titans from medical technology leaders to defense contractorsppThe groups vibecoded leak site is the usual minimalist page common in on the dark web offering a download button for each victim Yet anyone who clicks it is walking into a trap not of malware but of wasted time The downloads are infinite streams of random data built on the fly There are no folders of internal emails no spreadsheets of customer data and no social security numbersppIt is a scam built entirely on white noiseppThe trick is simple but it works According to researchers who watched the traffic the groups servers are likely piping a stream of devrandom a standard computer tool for making random bits straight into the users browserppThis creates a solid illusion To a network monitor the jumble of data looks exactly like a massive encrypted file There are no magic bytes the digital signatures at the start of a file that tell a computer it is looking at a ZIP or a PDF to give the game awayppWorse the group masks the file size to look like hundreds of gigabytes Because the Tor network is notoriously slow an analyst can spend a week downloading what they think is a smoking gun only to find they have spent days capturing a mountain of useless binary staticppWhy bother with a fake leak The answer is corporate fearppWe are seeing a move toward commodifying the PR crisis For a Fortune 500 company the technical facts often matter less than the headline If a companys name shows up on a leak site next to a 200GB download link the stock price doesnt wait for a forensic team to check the fileppBy upgrading their victim list to include blue chip names like Keysight Technologies Hologic Align Technology and The Mayo Clinic 0apt is deliberately raising the stakes They are betting that for some of these victims the risk of a real breach is too high to ignore They are hoping a lawyer or a board of directors will authorize a payment just to get their name off the list essentially paying a ransom for data that was never stolenppBy flooding the zone with 190 victims 0apt also gamed the automated systems the security industry uses to track threats News bots and data aggregators that scrape the dark web for new victims treated the 0apt list as fact accidentally spreading the groups name and giving the bluff a sense of scaleppThe reality is that 0apt is more of a carnival barker than a sophisticated hacker They have no secret exploits no access to corporate networks and no leverage as long as the victim is patient enough to see that the stolen data does not existppIn the case of 0apt the best defense isnt a better firewall but just a healthy dose of skepticismppUpdate 020526 0600 am EST ppIt seems 0apt has been removed from httpswwwransomwarelive with the comment The group appears unreliable Most if not all of its alleged victims cannot be verified and appear to be randomly selected organizations WE HAVE DECIDED TO REMOVE ENTRIES FOR THIS GROUPp