Huntress has identified a new ransomware variant named 'Crux', linked to the BlackByte group, that has already appeared in the wild. Three incidents involving this variant were recorded in July, with the first attack impacting seven endpoints. Attack activities included disabling Windows recovery and executing commands indicative of lateral movement. In one case, valid credentials via Remote Desktop Protocol were the initial access vector. The ransomware shows varied execution paths and unique hashes for each deployment.
The ransomware executable has been seen running from different folders and with different names on each endpoint. The executable file hashes were different for each incident.
For the first two observed incidents we were unable to determine the initial access vector, but for the third, we found that the initial access vector was the use of valid credentials via Remote Desktop Protocol.
Collection
[
|
...
]