Back to Intelligence

BLACKWATER Ransomware: CN Targeting Confirmed & Critical Edge Firewall Exploitation Campaign

SA
Security Arsenal Team
July 11, 2026
6 min read

Date: 2026-07-11
Source: Ransomware.live (Live Onion Feed)
Analyst: Security Arsenal Intel Team


Threat Actor Profile — BLACKWATER

BLACKWATER is a financially motivated cybercriminal syndicate operating with a high degree of technical sophistication. While data on their origins is sparse, their operational tactics suggest a Ransomware-as-a-Service (RaaS) model or a tight-knit affiliate group leveraging access brokers.

  • Ransom Model: Aggressive double extortion. Exfiltration occurs days to weeks before encryption to maximize leverage.
  • Ransom Demands: Historical data suggests demands ranging from $500k to $5M USD, varying by victim revenue.
  • Initial Access: Heavy reliance on External Remote Services (VPN/Firewall vulnerabilities). The group does not rely heavily on phishing but rather exploits unpatched perimeter infrastructure (Check Point, Cisco, ConnectWise).
  • Dwell Time: Short to moderate (3–10 days). BLACKWATER affiliates move quickly from initial access to lateral movement once a foothold is established.

Current Campaign Analysis

Targeting & Victimology

Based on the latest leak site posting (2026-07-10), BLACKWATER has shifted focus toward the Asia-Pacific region, specifically China.

  • Identified Victim: txdkj.com (Sector: Not Found/Unknown, Location: CN).
  • Geographic Concentration: 100% of recent activity (last 100 postings) is concentrated in CN. This marks a deviation from previous global patterns, suggesting a focused campaign against Chinese enterprise infrastructure.
  • Victim Profile: The limited victim data combined with the specific CVEs exploited suggests mid-to-large enterprises utilizing complex network topologies (Cisco FMC, Check Point Gateways) for remote management.

Exploitation Vector Correlation

BLACKWATER is actively exploiting a specific set of CISA KEV vulnerabilities, indicating a deliberate strategy to bypass perimeter defenses:

  1. CVE-2026-50751 (Check Point Security Gateway): Improper authentication in IKEv1. Allows threat actors to bypass VPN authentication. Primary Initial Access Vector.
  2. CVE-2024-1708 (ConnectWise ScreenConnect): Path Traversal/Authentication Bypass. Used for remote code execution on internal management servers.
  3. CVE-2026-20131 (Cisco Secure Firewall FMC): Deserialization vulnerability. Likely used for persistence or defense evasion after breaching the network edge.
  4. CVE-2023-21529 (Microsoft Exchange): Used for internal credential harvesting or lateral movement if email servers are accessible.

Assessment: BLACKWATER affiliates are scanning for unpatched VPN and Firewall management interfaces to establish a covert VPN tunnel into the victim's environment, bypassing traditional MFA controls.


Detection Engineering

Sigma Rules

YAML
---
title: Potential Check Point IKEv1 Auth Bypass (CVE-2026-50751)
id: 9e8b7a1c-2d3f-4a5e-9b6c-1d2e3f4a5b6c
description: Detects potential exploitation of CVE-2026-50751 involving IKEv1 key exchange anomalies or unexpected VPN session establishments.
status: experimental
date: 2026/07/11
author: Security Arsenal
logsource:
  product: firewall
  service: check_point
detection:
  selection:
    protocol|contains: 'IKE'
    ike_version: 'v1'
    action: 'accept'
    port: 500
  filter:
    src_ip_range:
      - '10.0.0.0/8'
      - '192.168.0.0/16'
      - '172.16.0.0/12'
  condition: selection and not filter
level: high
tags:
  - cve.2026.50751
  - attack.initial_access
  - attack.t1190
---
title: ConnectWise ScreenConnect Path Traversal Exploit (CVE-2024-1708)
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects path traversal sequences often associated with CVE-2024-1708 exploitation attempts in ScreenConnect web logs.
status: experimental
date: 2026/07/11
author: Security Arsenal
logsource:
  product: web server
  service: iis
detection:
  selection:
    cs-uri-query|contains:
      - '..%2f'
      - '..%255c'
      - '..\'
    cs-uri-stem|contains: '/Guest'
  condition: selection
level: critical
tags:
  - cve.2024.1708
  - attack.initial_access
  - attack.webshell
---
title: BLACKWATER Ransomware Pre-Encryption VSS Deletion
id: b2c3d4e5-6789-01ab-cdef-234567890bcd
description: Detects commands used to delete Volume Shadow Copies often observed prior to BLACKWATER encryption.
status: experimental
date: 2026/07/11
author: Security Arsenal
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4688
    NewProcessName|endswith:
      - '\vssadmin.exe'
      - '\wmic.exe'
    CommandLine|contains:
      - 'delete shadows'
      - 'shadowcopy delete'
  condition: selection
level: high
tags:
  - attack.impact
  - attack.t1490

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious lateral movement and credential dumping associated with BLACKWATER activity
let TimeFrame = 1d;
DeviceProcessEvents  
| where Timestamp >= ago(TimeFrame)
// Look for credentials dumping tools or lateral movement utilities
| where ProcessName in~ ('cmd.exe', 'powershell.exe', 'powershell_ise.exe', 'wmic.exe', 'psexec.exe', 'psexec64.exe', 'procdump.exe', 'rclone.exe', 'megasync.exe')
// Filter for suspicious arguments
| where ProcessCommandLine has any("net", "user", "share", "shadow", "delete", "mimikatz", "sekurlsa", "copy")
| extend FileHashInfo = pack("SHA256", SHA256, "MD5", MD5)
| project Timestamp, DeviceName, AccountName, ProcessName, ProcessCommandLine, InitiatingProcessAccountName, FileHashInfo
| sort by Timestamp desc

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    Checks for indications of BLACKWATER pre-encryption staging.
.DESCRIPTION
    This script enumerates scheduled tasks created in the last 7 days (common for persistence) 
    and checks the status of Volume Shadow Copies.
#>

$StagingIndicators = @{
    RecentTasks = @()
    VSSStatus = $null
    SuspiciousProcesses = @()
}

# 1. Check for Scheduled Tasks created/modified in last 7 days
$DateThreshold = (Get-Date).AddDays(-7)
try {
    $Tasks = Get-ScheduledTask | Where-Object { $_.Date -ge $DateThreshold }
    foreach ($Task in $Tasks) {
        $TaskInfo = Get-ScheduledTaskInfo -TaskName $Task.TaskName -TaskPath $Task.TaskPath
        $StagingIndicators.RecentTasks += "[$($Task.TaskName)] Last Run: $($TaskInfo.LastRunTime), Author: $($Task.Author)"
    }
} catch {
    Write-Warning "Could not enumerate scheduled tasks."
}

# 2. Check Volume Shadow Copy Storage Usage (Low or 0 often indicates deletion)
try {
    $VSS = vssadmin list shadows
    if ($VSS -match "No shadow copies found") {
        $StagingIndicators.VSSStatus = "CRITICAL: No Shadow Copies found. Possible deletion."
    } else {
        $StagingIndicators.VSSStatus = "OK: Shadow copies exist."
    }
} catch {
    $StagingIndicators.VSSStatus = "Error checking VSS: $_"
}

# 3. Output
$StagingIndicators | ConvertTo-Json


---

Incident Response Priorities

T-Minus Detection Checklist (Before Encryption)

  1. Audit VPN Logs: Immediate review of Check Point and Cisco FMC logs for successful IKEv1 connections (Port 500/4500) originating from unusual geolocations or non-corporate IPs.
  2. Web Server Forensics: Scan ConnectWise ScreenConnect logs for path traversal attempts (..%2f) or /Guest access anomalies.
  3. Identity Hunt: Query Active Directory for service accounts that have recently logged in from VPN IPs associated with the victim timeline.

Critical Exfiltration Targets

BLACKWATER historically prioritizes:

  • CAD/Engineering Files: High value in manufacturing/targeted sectors.
  • Financial Databases: SQL Server backups and .mdf files.
  • HR/Payroll: For W-2 fraud and social engineering leverage.

Containment Actions

  1. Isolate VPN Infrastructure: If Check Point or Cisco FMC is suspected compromised, treat it as a rogue C2 server. Revoke all VPN certs immediately.
  2. Block Internet Egress: Limit outbound traffic to essential business IPs only (Port 443/80) to prevent exfiltration to cloud storage (Mega.nz, Dropbox).
  3. Disable RDP: Force-disable RDP on all internal servers via GPO if not strictly required.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Perimeter: Apply security updates for CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco FMC) immediately. If patching is delayed, disable IKEv1 on Check Point gateways.
  • Disable ConnectWise Guest Access: If ConnectWise ScreenConnect is not in use, shut down the service. If in use, enforce strict IP whitelisting.

Short-Term (2 Weeks)

  • Zero Trust Network Access (ZTNA): Begin migration from traditional VPN (which relies on broad network access) to ZTNA solutions that verify user identity and device posture before granting access to specific apps.
  • Network Segmentation: Ensure firewall management interfaces (FMC, Check Point SmartConsole) are NOT accessible from the internet, and require a jump host with MFA for access.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangblackwaterransomwarecve-2026-50751cve-2024-1708check-pointcisco-fmc

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

BLACKWATER Ransomware: CN Targeting Confirmed & Critical Edge Firewall Exploitation Campaign | Security Arsenal | Security Arsenal