Auckland-based IT services provider Dencom New Zealand has been named on the darknet leak site of Krybit, a newly emerged ransomware operation. The listing, first reported by Cyber Daily on 15 April 2026, marks one of 16 victims claimed by the group since it surfaced earlier this month. Krybit posted the Dencom entry on 12 April and set a ransom payment deadline of 22 April 2026.

What Happened

Krybit, a ransomware crew first observed in April 2026, added Dencom New Zealand to its dark web victim portal on 12 April. The group has issued a ten-day countdown, threatening to publish or sell exfiltrated data if the company does not meet ransom demands by 22 April. Dencom has not, at the time of writing, issued a public statement confirming or denying the intrusion. The listing follows the standard double-extortion pattern, where stolen data is leveraged alongside any encryption activity to pressure payment.

What Was Taken

Krybit has not yet publicly disclosed sample files, file trees, or volume estimates for the Dencom data set on its leak portal. As an IT managed services provider, Dencom typically holds sensitive material on behalf of downstream customers, including network architecture documentation, administrative credentials, remote access configurations, backup repositories, and client business records. Any successful intrusion against an MSP carries heightened risk of data theft cascading into the customer base. Until Krybit publishes proof packs, the precise scope and sensitivity of compromised data remain unconfirmed.

Why It Matters

The Dencom listing is significant on two fronts. First, it underscores the velocity of Krybit's operation: 16 claimed victims in roughly two weeks signals either an active affiliate program, a previously dormant crew rebranding, or an operator with a stockpile of pre-staged accesses. Second, attacks on IT service providers are inherently supply-chain events. A breach of an MSP's tooling, RMM platforms, or credential vaults can be weaponised against every client environment the provider touches, turning a single intrusion into dozens of downstream incidents.

The Attack Technique

Krybit has not published technical indicators tied to the Dencom intrusion, and no initial access vector has been disclosed by the group or by Dencom. New ransomware operations typically lean on commodity access brokers, exposed remote services such as VPN appliances and RDP, unpatched edge devices, and phishing for credential theft. Defenders should treat any of these vectors as plausible until Krybit's tradecraft is more thoroughly mapped through victim disclosures and incident response reporting.

What Organizations Should Do

1. MSP customers of Dencom should proactively rotate any credentials, API keys, and certificates shared with the provider and audit recent administrative activity on integrated systems.
2. Hunt for unauthorised use of RMM tooling, lateral movement from MSP jump hosts, and unexpected scheduled tasks or service installations.
3. Validate offline, immutable backup integrity and confirm restoration procedures meet recovery time objectives in a worst-case scenario.
4. Review and tighten exposure of edge services such as VPN, RDP, and management interfaces; enforce phishing-resistant MFA on every administrative path.
5. Subscribe to threat intelligence feeds tracking Krybit listings and proactively monitor the group's leak portal for any Dencom data drops after 22 April.
6. Brief executive leadership on supplier concentration risk and ensure incident response playbooks include third-party compromise scenarios.

Sources: Exclusive: Krybit hackers claim breach of New Zealand IT services provider - Cyber Daily