Cybersecurity firm Huntress has uncovered a new ransomware variant that's already been used in the wild.
With the attackers claiming to be part of the notorious BlackByte ransomware group, the new variant, called ‘Crux’, marks a “disturbing” evolution in their capabilities.
According to Huntress, researchers have already spotted three cases of Crux being deployed this month alone.
The first incident was detected across seven endpoints linked to one organization on July 4th. The activity across these endpoints varied, Huntress noted.
On some, the threat actor had disabled Windows recovery via bcdedit.exe and triggered canary reports, while on others further activity was detected, such as remote registry dumps, driver installations, and the use of Rclone.
On the same day, a separate incident involving bcdedit.exe resulted in ransomware canary files being tripped. Based on EDR telemetry, the threat actor appeared to have created user accounts and executed commands that were indicative of lateral movement, before disabling Windows recovery and deploying the ransomware.
Meanwhile, the third incident, recorded on July 13th, showed that the threat actor compromised and used a user support account. In this instance, Huntress said they also accessed the endpoint via the administrator account.
"For the first two observed incidents we were unable to determine the initial access vector due to various factors. However, for the third incident, we found that the initial access vector was the use of valid credentials via [Remote Desktop Protocol] RDP," said Huntress.
"The ransomware executable has been seen running from different folders (e.g., temp folder, C:\Windows, etc.) and with different names on each endpoint. The executable file hashes were different for each incident/impacted organization."
Once the executable is launched, Huntress noted that it has a distinctive process tree that progresses from the unsigned ransomware binary - through svchost.exe, cmd.exe, and bcdedit.exe - before encrypting files.
The attackers also exhibit rapid deployment and data exfiltration attempts using tools like rclone.exe.
Similarly, they show clear signs of prior infrastructure knowledge. In the third incident, for example, the ransomware was launched within seven minutes of an initial test login, apparently using valid credentials to verify access, and within 90 seconds of the interactive login during which it was deployed.
Notably, the executables have been launched with identifiers that appear to be unique to each organization that was targeted.
What you need to know about BlackByte
BlackByte is a ransomware-as-a-service (RaaS) group that’s been on the scene since 2021 and has used multiple ransomware variants over the years, according to Huntress.
The group has claimed responsibility for a number of attacks in the US and elsewhere, often targeting critical infrastructure such as government facilities, financial institutions, and food and agriculture organizations.
Huntress advises organizations to act quickly to avoid falling victim to the threat.
"While we have limited insight into the initial access vector here, given the fact that in one incident the adversary appeared to target RDP, it’s important to act on our continual advice to secure exposed RDP instances," said Huntress.
"The threat actor also clearly has a preference for legitimate processes like bcdedit.exe and svchost.exe, so continual monitoring for suspicious behavior using these processes via endpoint detection and response (EDR) can help suss out threat actors in your environment."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Microsoft is doubling down on multilingual large language modelsNews The tech giant wants to ramp up development of LLMs for a range of European languages
-
Meta isn’t playing ball with the EU on the AI ActNews Europe is 'heading down the wrong path on AI', according to Meta, with the company accusing the EU of overreach
