Back to Threat Groups

blackbyte-crux

ransomware group

Crux is a newly identified ransomware variant active since July 2025, which claims affiliation with the established BlackByte ransomware group. It implements a double‑extortion model—encrypting files (with the .crux extension) and threatening data leak via a Tor-based portal. A distinctive feature of Crux is its execution flow: it initiates via svchost.exe, cmd.exe, and bcdedit.exe to disable Windows recovery, followed by rapid file encryption. The ransomware has been confirmed in at least three incidents across sectors including agriculture, education, professional services, media, and nonprofits, in both the U.S. and U.K. Ransom notes consistently follow the naming pattern crux_readme_[random].txt.

Victims
1
records
First Discovered
Jun 7, 2026
victim
Last Discovered
Jun 7, 2026
victim
Inactive Since
38
days
Countries
1
hit
Avg Discount
no settlements

Group Activity

Last 12 months
Aug
2025
Sep
2025
Oct
2025
Nov
2025
Dec
2025
Jan
2026
Feb
2026
Mar
2026
Apr
2026
May
2026
1
Jun
2026
Jul
2026