Blackbyte Crux

Also known as: Blackbyte Crux

Crux is a newly identified ransomware variant active since July 2025, which claims affiliation with the established BlackByte ransomware group. It implements a double‑extortion model—encrypting files (with the .crux extension) and threatening data leak via a Tor-based portal. A distinctive feature of Crux is its execution flow: it initiates via svchost.exe, cmd.exe, and bcdedit.exe to disable Windows recovery, followed by rapid file encryption. The ransomware has been confirmed in at least three incidents across sectors including agriculture, education, professional services, media, and nonprofits, in both the U.S. and U.K. Ransom notes consistently follow the naming pattern crux_readme_[random].txt.

Introduction

Crux is a newly identified ransomware variant active since July 2025, which claims affiliation with the established BlackByte ransomware group. It implements a double‑extortion model—encrypting files (with the .crux extension) and threatening data leak via a Tor-based portal. A distinctive feature of Crux is its execution flow: it initiates via svchost.exe, cmd.exe, and bcdedit.exe to disable Windows recovery, followed by rapid file encryption. The ransomware has been confirmed in at least three incidents across sectors including agriculture, education, professional services, media, and nonprofits, in both the U.S. and U.K. Ransom notes consistently follow the naming pattern crux_readme_[random].txt.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

Information pending cataloguing.

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.