Cybersecurity specialists have discovered a powerful new form of ransomware actively being employed in real-world attacks
In a recent development, cybersecurity firm Huntress has discovered a new ransomware variant called 'Crux'. This previously unpublicized strain is believed to be linked to the notorious BlackByte ransomware group, a known ransomware-as-a-service (RaaS) gang active since 2021[1][2].
The latest Crux attacks, observed in July 2025, have targeted various organizations, with Huntress reporting three distinct incidents[1][2][4]. The ransomware encrypts files with the extension `.crux`, and ransom notes typically have filenames like `crux_readme_[random].txt`, containing a support email address ([email protected])[2].
One of the observed attacks was confirmed to use Remote Desktop Protocol (RDP) with valid credentials for initial access, a common method favored by ransomware actors[2]. However, the initial access vectors for the earlier cases and the third incident are yet to be fully determined, but they show evidence of prior knowledge of the victims’ infrastructure[2][3][4].
Upon execution, Crux ransomware exhibits a distinctive process chain involving an unsigned ransomware binary running through Windows processes: svchost.exe, cmd.exe, and bcdedit.exe before beginning file encryption[2]. The attackers disable Windows recovery options via `bcdedit.exe` and deploy ransomware canary files (fake files meant to trigger detection). They also perform additional malicious activities like remote registry dumps, driver installations, lateral movement via created user accounts, and deployment of tools such as Rclone, which suggests sophisticated operations for data exfiltration or disruption[1].
The ransomware executable is seen running from various folders with different file names and varying hashes, indicating attempts to evade detection by changing its footprint according to each target organization[2]. While the threat actors claim Crux is part of BlackByte, Huntress has not independently verified this affiliation, but the ransomware’s tactics are consistent with the evolving capabilities of BlackByte affiliates[3][4].
In response to the emergence of Crux, Huntress advises organizations to secure RDP instances and monitor for suspicious behavior using legitimate processes like bcdedit.exe and svchost.exe via endpoint detection and response (EDR) to detect threat actors[5]. Organizations are also urged to act quickly to avoid falling victim to the threat.
References: [1] Huntress Labs. (2025). Crux Ransomware: A New Variant of BlackByte. [Online]. Available: https://www.huntress.io/blog/crux-ransomware [2] Cybersecurity Dive. (2025). New ransomware variant Crux targets government, financial institutions. [Online]. Available: https://www.cybersecuritydive.com/news/new-ransomware-variant-crux-targets-government-financial-institutions/631464/ [3] Krebs on Security. (2025). BlackByte Ransomware Group Claims Responsibility for Attacks on U.S. Critical Infrastructure. [Online]. Available: https://krebsonsecurity.com/2025/07/blackbyte-ransomware-group-claims-responsibility-for-attacks-on-u-s-critical-infrastructure/ [4] BleepingComputer. (2025). Huntress Labs Discovers New Ransomware Variant 'Crux', Linked to BlackByte. [Online]. Available: https://www.bleepingcomputer.com/news/security/huntress-labs-discovers-new-ransomware-variant-crux-linked-to-blackbyte/ [5] Huntress Labs. (2025). Securing RDP Instances. [Online]. Available: https://documentation.huntress.io/en/articles/3394984-securing-rdp-instances
- To protect against the emerging threat of the Crux ransomware, it's crucial for organizations to secure their RDP instances and implement endpoint detection and response (EDR) to monitor for unusual activities involving legitimate processes like and .
- Amidst concerns about the cybersecurity implications, the lack of definitive proof about the affiliation between Crux and the BlackByte ransomware group emphasizes the need for robust infrastructure technology to detect and ward off sophisticated cyberattacks, such as the use of ransomware canary files and remote registry dumps.
