The newly identified Crux ransomware variant claims association with the BlackByte group and has been observed in three separate incidents, primarily using RDP for initial access. The ransomware employs a unique process chain involving svchost.exe and bcdedit.exe to disable system recovery before encrypting files. #Crux #BlackByte #RDP
Keypoints
- Crux ransomware is a previously unknown variant claiming affiliation to the BlackByte ransomware group.
- It has been observed in three incidents, with encrypted files ending in the .crux extension and ransom notes named crux_readme_[random].txt.
- The initial access vector in one incident was confirmed as valid credential use via Remote Desktop Protocol (RDP).
- The ransomware executes through a distinctive process tree: an unsigned executable launching svchost.exe, which then runs cmd.exe and bcdedit.exe to disable system recovery before encryption.
- Different executable names and hashes were used on each infected endpoint, with unique identifiers passed as command line arguments (-a or -s).
- Incidents included activities such as disabling recovery, remote registry dumps, driver installations, and use of rclone indicating data exfiltration.
- The threat actors use legitimate Windows processes to mask their actions and complicate recovery efforts.
MITRE Techniques
- [T1021] Remote Services – Initial access via RDP using valid credentials is indicated by the login and deployment timing (“the ransomware was launched within seven minutes of an initial test login”).
- [T1055] Process Injection – The ransomware leverages svchost.exe with unique command line arguments to disguise its execution (“the ransomware executable launches the legitimate svchost.exe, albeit with a distinctive command line”).
- [T1490] Inhibit System Recovery – The execution of bcdedit.exe modifies boot configurations to disable recovery options (“bcdedit.exe, which modifies the boot configurations and disables system recovery”).
- [T1486] Data Encrypted for Impact – The ransomware encrypts files and appends the .crux extension to the encrypted files.
- [T1005] Data from Local System – Usage of rclone.exe indicates data exfiltration (“the user administrator executing rclone.exe … indicating data exfiltration”).
- [T1087] Account Discovery – Creation of user accounts and lateral movement observed in incident two (“the threat actor created user accounts and executed commands that were indicative of lateral movement”).
Indicators of Compromise
- [File Hash] ransomware executables – c96d5a279c660bfa9b70b7b2d78de951daff80fe6ad5617882587cb8e971e88b (C:WindowsJZpS4GsG.exe), 667b7220f5df1b31dd2dd3d4aa1fedb4fdd2e8e5926cdacd744da7a7c6635932 (C:TempSSW.exe)
- [File Hash] ransomware executable – b45e6cce412d9968e7ea67466076e7bd2d533598a9dc182699c84a0b1f72e3e4 (C:Users[redacted]DesktopUnrips.exe)
- [Email Address] ransom support contact – [email protected]
- [File Name] ransom note format – crux_readme_[random].txt
- [File Name] malicious driver – C:Windowssystem32driverscfxdlfvk.sys
- [Alert] Windows Defender detection – Behavior:Win32/RemoteRegDump.A associated with remote registry dumping activity