Huntress Uncovers ‘Crux’ Ransomware Variant Linked to BlackByte Group
According to a recent article by ITPro, cybersecurity researchers at Huntress have identified a new ransomware strain in active use, dubbed Crux, which appears to be associated with the BlackByte ransomware group. Huntress has observed three incidents involving Crux so far this month, with attackers exploiting Remote Desktop Protocol (RDP) in at least one case and demonstrating rapid deployment and lateral movement using legitimate Windows tools such as bcdedit.exe, svchost.exe, and cmd.exe. Each executable was uniquely configured per target, complicating detection.
The attackers used utilities like Rclone for data exfiltration and acted within minutes of accessing compromised accounts, signalling prior infrastructure knowledge. Crux displays hallmark traits of a refined ransomware-as-a-service (RaaS) operation. Huntress recommends that organizations immediately secure exposed RDP instances and closely monitor endpoint activity tied to common administrative tools to detect unusual patterns and pre-encryption activity.
