Husain Parvez
Published on: August 10, 2025
Cybersecurity firm Huntress has identified a new ransomware strain known as “Crux,” which was observed in three separate incidents this July. The group behind Crux claims affiliation with the BlackByte ransomware-as-a-service operation, which has been active since 2021.
In each case, encrypted files used the .crux extension, and ransom notes followed the format crux_readme_[random].txt, listing BlackBCruxSupport@onionmail.org as the contact. While the affiliation with BlackByte remains unverified, Huntress noted that “the ransomware executable has been seen running from different folders (e.g., temp folder, C:\Windows, etc.) and with different names on each endpoint.”
The ransomware exhibits a consistent process pattern using legitimate Windows binaries. Huntress explained that once executed, the malware “has a distinctive process tree that progresses from the unsigned ransomware binary — through svchost.exe, cmd.exe, and bcdedit.exe — before encrypting files.”
This includes launching svchost.exe with custom command-line arguments, running cmd.exe, and invoking bcdedit.exe to disable Windows recovery, hampering victims’ restoration attempts.
In the first incident, discovered on July 4 across seven endpoints, attackers used Rclone for data exfiltration and deployed drivers and registry dump tools. A separate incident that day showed user account creation and lateral movement, followed by ransomware deployment and recovery disablement.
By July 13, Huntress confirmed that valid Remote Desktop Protocol (RDP) credentials were used in a third attack. “For the third incident, we found that the initial access vector was the use of valid credentials via RDP,” Huntress reported.
In this case, the ransomware was launched within minutes of an initial login, suggesting prior knowledge of the environment. Executables were tagged with unique identifiers per victim, signaling targeted behavior.
Huntress warns that “it’s important to act on our continual advice to secure exposed RDP instances.” The group also recommends monitoring legitimate tools like bcdedit.exe and svchost.exe through endpoint detection and response solutions to flag abuse patterns.
