Getting to the Crux (Ransomware) of the Matter

SUMMARY :

A new ransomware variant named Crux has been identified, claiming association with the BlackByte group. Observed in three separate incidents, Crux encrypts files with a .crux extension and leaves ransom notes. Initial access appears to involve Remote Desktop Protocol (RDP) using valid credentials. The ransomware executable, with varying names and locations, follows a distinct process tree involving svchost.exe, cmd.exe, and bcdedit.exe. It disables system recovery to hinder restoration attempts. Data exfiltration using Rclone was observed in one incident. The threat actor demonstrates prior knowledge of targeted infrastructures and prefers using legitimate Windows processes. While claiming BlackByte affiliation, this hasn't been independently verified.

OPENCTI LABELS :

ransomware,data exfiltration,rdp,process injection,rclone,svchost,bcdedit,crux


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Getting to the Crux (Ransomware) of the Matter