SafetyDetectives
$ United States dollar
$ United States dollar Euro£ British poundAED UAE dirhamARS Argentine pesoAU$ Australian dollarBGN Bulgarian levR$ Brazilian realCA$ Canadian dollarCHF Swiss francCLP Chilean pesoCN¥ Chinese yuanCOP Colombian pesoCZK Czech korunaDKK Danish kroneEGP Egyptian poundHK$ Hong Kong dollarHUF Hungarian forintIDR Indonesian rupiah Israeli new shekelINR Indian rupee¥ Japanese yen South Korean wonMX$ Mexican pesoMYR Malaysian ringgitNOK Norwegian kroneNZ$ New Zealand dollarPLN Polish złotyRON Romanian leuRUB Russian rubleSAR Saudi riyalSEK Swedish kronaSGD Singapore dollar฿ Thai bahtTRY Turkish liraNT$ New Taiwan dollarUAH Ukrainian hryvnia Vietnamese DongZAR South African rand

“Crux” Ransomware Variant with BlackByte Ties Uncovered

Husain Parvez
Husain Parvez Former Writer
Published on: August 10, 2025
Husain Parvez Husain Parvez Former Writer
Published on: August 10, 2025

Cybersecurity firm Huntress has identified a new ransomware strain known as “Crux,” which was observed in three separate incidents this July. The group behind Crux claims affiliation with the BlackByte ransomware-as-a-service operation, which has been active since 2021.

In each case, encrypted files used the .crux extension, and ransom notes followed the format crux_readme_[random].txt, listing BlackBCruxSupport@onionmail.org as the contact. While the affiliation with BlackByte remains unverified, Huntress noted that “the ransomware executable has been seen running from different folders (e.g., temp folder, C:\Windows, etc.) and with different names on each endpoint.”

The ransomware exhibits a consistent process pattern using legitimate Windows binaries. Huntress explained that once executed, the malware “has a distinctive process tree that progresses from the unsigned ransomware binary — through svchost.exe, cmd.exe, and bcdedit.exe — before encrypting files.”

This includes launching svchost.exe with custom command-line arguments, running cmd.exe, and invoking bcdedit.exe to disable Windows recovery, hampering victims’ restoration attempts.

In the first incident, discovered on July 4 across seven endpoints, attackers used Rclone for data exfiltration and deployed drivers and registry dump tools. A separate incident that day showed user account creation and lateral movement, followed by ransomware deployment and recovery disablement.

By July 13, Huntress confirmed that valid Remote Desktop Protocol (RDP) credentials were used in a third attack. “For the third incident, we found that the initial access vector was the use of valid credentials via RDP,” Huntress reported.

In this case, the ransomware was launched within minutes of an initial login, suggesting prior knowledge of the environment. Executables were tagged with unique identifiers per victim, signaling targeted behavior.

Huntress warns that “it’s important to act on our continual advice to secure exposed RDP instances.” The group also recommends monitoring legitimate tools like bcdedit.exe and svchost.exe through endpoint detection and response solutions to flag abuse patterns.

About the Author
Husain Parvez
Husain Parvez
Former Writer
Published on: August 10, 2025

About the Author

Husain Parvez is a former tech writer at Safety Detectives with a focus on cybersecurity, privacy, and all things digital. He has a knack for breaking down complex topics into clear, engaging content, driven by a genuine curiosity about how things work under the hood. When he’s not writing, you’ll find him gaming, watching tech repair videos, or geeking out over the latest AI tools.