TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Getting to the Crux (Ransomware) of the Matter

2025-07-18 · Read original ↗

ATT&CK techniques detected

13 predictions
T1486Data Encrypted for Impact
100%
"getting to the crux ( ransomware ) of the matter huntress has spotted a new ransomware variant that goes by the name “ crux ”. threat actors behind the crux incidents claim that the ransomware variant is “ a part of the blackbyte group, ” as shown in figure 1. figure 1 : excerpt …"
T1486Data Encrypted for Impact
99%
"##e, cmd. exe, and bcdedit. exe, before encrypting files the crux incidents for the first two observed incidents we were unable to determine the initial access vector due to various factors. however, for the third incident, we found that the initial access vector was the use of v…"
T1486Data Encrypted for Impact
99%
"support account and then running through the process lineage involving svchost. exe and bcdedit. exe before creating the ransom notes. getting to the crux crux ransom notes state they are part of blackbyte, but keep in mind that these are claims by the threat actor, and huntress …"
T1078Valid Accounts
95%
"july 4, a separate incident involved bcdedit. exe and resulted in ransomware canary files being tripped. based on edr telemetry, in this attack, the threat actor created user accounts and executed commands that were indicative of lateral movement before disabling windows recovery…"
T1055.001Dynamic-link Library Injection
87%
"launches the legitimate svchost. exe, albeit with a distinctive command line, perhaps through process injection : either - a or - s and the unique identifier provided when the ransomware executable was launched. the legitimate windows process svchost. exe runs multiple windows se…"
T1080Taint Shared Content
85%
"getting to the crux ( ransomware ) of the matter huntress has spotted a new ransomware variant that goes by the name “ crux ”. threat actors behind the crux incidents claim that the ransomware variant is “ a part of the blackbyte group, ” as shown in figure 1. figure 1 : excerpt …"
T1486Data Encrypted for Impact
82%
"july 4, a separate incident involved bcdedit. exe and resulted in ransomware canary files being tripped. based on edr telemetry, in this attack, the threat actor created user accounts and executed commands that were indicative of lateral movement before disabling windows recovery…"
T1080Taint Shared Content
74%
"support account and then running through the process lineage involving svchost. exe and bcdedit. exe before creating the ransom notes. getting to the crux crux ransom notes state they are part of blackbyte, but keep in mind that these are claims by the threat actor, and huntress …"
T1003OS Credential Dumping
65%
"july 4, a separate incident involved bcdedit. exe and resulted in ransomware canary files being tripped. based on edr telemetry, in this attack, the threat actor created user accounts and executed commands that were indicative of lateral movement before disabling windows recovery…"
T1080Taint Shared Content
47%
"##e, cmd. exe, and bcdedit. exe, before encrypting files the crux incidents for the first two observed incidents we were unable to determine the initial access vector due to various factors. however, for the third incident, we found that the initial access vector was the use of v…"
T1490Inhibit System Recovery
41%
"launches the legitimate svchost. exe, albeit with a distinctive command line, perhaps through process injection : either - a or - s and the unique identifier provided when the ransomware executable was launched. the legitimate windows process svchost. exe runs multiple windows se…"
T1486Data Encrypted for Impact
32%
"july 4. the activity across these endpoints varied ; on some, the threat actor had disabled the recovery via bcdedit. exe and triggered canary reports, while on others, further activity was detected, such as remote registry dumps, driver installations, and the use of rclone. on o…"
T1569.002Service Execution
32%
"july 4. the activity across these endpoints varied ; on some, the threat actor had disabled the recovery via bcdedit. exe and triggered canary reports, while on others, further activity was detected, such as remote registry dumps, driver installations, and the use of rclone. on o…"

Summary

Huntress has observed a new ransomware variant, Crux, being used in multiple incidents.