Back to Intelligence

COINBASECARTEL Ransomware: Critical Infrastructure Exploits & Surge in Victim Count

SA
Security Arsenal Team
April 19, 2026
6 min read

Threat Level: CRITICAL Date: 2026-04-19 Source: Ransomware.live / Dark Web Leak Site Telemetry

Threat Actor Profile — COINBASECARTEL

Profile: COINBASECARTEL has rapidly escalated operations, positioning itself as a high-volume Ransomware-as-a-Service (RaaS) operation. Unlike traditional gangs relying solely on phishing, COINBASECARTEL demonstrates advanced capability in leveraging CVEs on internet-facing infrastructure.

  • Model: RaaS (Ransomware-as-a-Service) with suspected affiliate network driving volume.
  • Ransom Demands: Variable, typically scaling from $500k to $5M USD depending on victim revenue.
  • Initial Access: Heavy reliance on zero-day and N-day exploitation of edge appliances (Firewalls, Mail Gateways, VPNs). Phishing remains a secondary vector.
  • Extortion Strategy: Aggressive double extortion. Data is frequently leaked within 48-72 hours if contact is not established.
  • Dwell Time: Short (3-7 days). The group moves rapidly from initial exploit (CVE) to deployment, indicating automated tooling for post-exploitation.

Current Campaign Analysis

Recent Victim Count: 21 (Last 100 postings)

Sector Targeting: The current campaign shows a pivot towards Business Services (ASTM Group, Questivity) and Public Sector entities (Superintendency of territorial planning, Kemenpppa). Notably, Technology and Consumer Services (The Epoch Times) remain high-priority targets.

Geographic Concentration:

  • Primary: United States (High volume of business services/construction).
  • Secondary: France (Technology), Indonesia & Malta (Public Sector).

Victim Profile: Targets range from mid-market engineering firms (McCuaig and associates) to large media organizations (The Epoch Times) and government bodies. The diversity suggests affiliates are scanning indiscriminately for specific vulnerable products rather than targeting specific vertical brands.

CVE Correlation: The victim surge correlates directly with the exploitation of CISA KEV-listed vulnerabilities:

  • CVE-2026-20131 (Cisco Secure Firewall FMC): Likely initial access vector for the "Technology" and "Business Services" sectors where firewalls are exposed.
  • CVE-2025-5777 (Citrix NetScaler): A classic entry point for lateral movement into internal networks, particularly relevant for the "Public Sector" victims.
  • CVE-2026-23760 (SmarterTools SmarterMail): Used to breach email infrastructure for credential harvesting and initial access.

Detection Engineering

SIGMA Rules

YAML
title: Potential Cisco FMC Deserialization Exploit CVE-2026-20131
id: c4c4b1d0-2026-4b1c-9e0c-123456789abc
description: Detects potential exploitation of Cisco Secure Firewall Management Center deserialization vulnerability via suspicious management interface requests.
status: experimental
date: 2026/04/19
author: Security Arsenal Labs
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains:
            - '/mgmt/tm/util/untar'
            - '/mgmt/tm/util/bash'
        sc-status: 200
    condition: selection
falsepositives:
    - Legitimate administrative backups
level: critical
tags:
    - attack.initial_access
    - cve.2026.20131
    - ransomware.coinbasecartel
---
title: SmarterMail Authentication Bypass CVE-2026-23760
id: e5e5c2e1-2026-4d2d-af1d-987654321xyz
description: Detects authentication bypass attempts on SmarterTools SmarterMail servers associated with CVE-2026-23760.
status: experimental
date: 2026/04/19
author: Security Arsenal Labs
logsource:
    product: smtp
    service: smtp
detection:
    selection:
        cs-method: 'POST'
        c-uri|contains: 
            - '/Services/Mail.asmx'
            - '/Services/AuthenticatedService.asmx'
    filter_legit:
        cs-user-agent|contains: 'SmarterCloud'
    condition: selection and not filter_legit
falsepositives:
    - Misconfigured legacy integrations
level: high
tags:
    - attack.initial_access
    - cve.2026.23760
    - ransomware.coinbasecartel
---
title: Ransomware Shadow Copy Deletion via VssAdmin
id: f6f6d3f2-2026-5e3e-bg2e-111111111abc
description: Detects commands used by ransomware gangs like COINBASECARTEL to delete Volume Shadow Copies to prevent recovery.
status: experimental
date: 2026/04/19
author: Security Arsenal Labs
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains:
            - 'delete shadows'
            - 'resize shadowstorage'
    condition: selection
falsepositives:
    - System administrator maintenance (rare)
level: critical
tags:
    - attack.impact
    - attack.t1490
    - ransomware.coinbasecartel

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and staging associated with COINBASECARTEL patterns
// Looks for SMB access to Admin shares and unusual PowerShell execution
DeviceProcessEvents  
| where Timestamp > ago(7d)  
| where (InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wmiprvse.exe") or FileName in~ ("powershell.exe", "cmd.exe"))  
| where (ProcessCommandLine has "New-Object" and ProcessCommandLine has "Net.WebClient") or  
         (ProcessCommandLine has "Invoke-Expression") or  
         (ProcessCommandLine contains "psexec" or ProcessCommandLine contains "wmic")  
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName  
| extend FullPath = iff(ProcessCommandLine contains "\\", extract(@'(\\[a-zA-Z0-9-_]+\[a-zA-Z0-9-_]+)', 0, ProcessCommandLine), "Unknown")  
| where isnotempty(FullPath)  
| order by Timestamp desc

PowerShell Hardening Script

PowerShell
# COINBASECARTEL Rapid Response Hardening Script
# Checks for exposed RDP, recent Scheduled Task creation (Persistence), and VSS health

Write-Host "[+] Starting COINBASECARTEL Hardening Checks..." -ForegroundColor Cyan

# 1. Check for RDP Exposure (Rule of thumb: Should be off unless needed)
$RDPStatus = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server").fDenyTSConnections
if ($RDPStatus -eq 0) {
    Write-Host "[ALERT] RDP is ENABLED. Consider disabling immediately." -ForegroundColor Red
} else {
    Write-Host "[OK] RDP is Disabled." -ForegroundColor Green
}

# 2. Hunt for suspicious Scheduled Tasks created in last 7 days (Common Persistence)
$DateCutoff = (Get-Date).AddDays(-7)
$SuspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt $DateCutoff -and $_.Author -notlike "Microsoft*" -and $_.Author -notlike "N/A*" }

if ($SuspiciousTasks) {
    Write-Host "[ALERT] Found recently created non-Microsoft Scheduled Tasks:" -ForegroundColor Red
    $SuspiciousTasks | Select-Object TaskName, Date, Author, Action | Format-Table -AutoSize
} else {
    Write-Host "[OK] No suspicious recent Scheduled Tasks found." -ForegroundColor Green
}

# 3. Check for Volume Shadow Copy Manipulation Events (Event ID 7036 or VSS Provider errors)
Write-Host "[INFO] Checking Event Log for VSS Service stops (Common pre-encryption)..." -ForegroundColor Yellow
$VSSEvents = Get-WinEvent -FilterHashtable @{LogName='System'; ID=7036; StartTime=$DateCutoff} -ErrorAction SilentlyContinue | 
              Where-Object { $_.Message -like '*VSS*' -and $_.Message -like '*stopped*' }

if ($VSSEvents) {
    Write-Host "[ALERT] VSS Service stopped recently. Potential ransomware activity." -ForegroundColor Red
} else {
    Write-Host "[OK] No VSS service stoppages detected." -ForegroundColor Green
}

Write-Host "[+] Scan Complete." -ForegroundColor Cyan


---

Incident Response Priorities

T-Minus Detection Checklist:

  1. Edge Device Logs: Immediately review Cisco FMC and Citrix NetScaler logs for unauthorized administrative access or deserialization errors around 2026-03-19 to present.
  2. Mail Server Logs: Audit SmarterMail logs for successful authentication without a corresponding login form submission (bypass).
  3. Process Anomalies: Hunt for vssadmin.exe deletion commands or wbadmin deletion attempts.

Critical Assets Prioritized for Exfiltration:

  • PII/HR Databases (High value in Business Services sector).
  • Source Code/IP (Targeted in Technology sector victims like "Securitevolfeu").
  • Government Planning Documents (Targeted in Public Sector victims).

Containment Actions:

  1. Isolate: Disconnect Cisco FMC and Citrix ADCs from the internet if patching cannot be verified immediately.
  2. Suspend: Suspend all non-essential VPN and RDP access until MFA is enforced on all accounts.
  3. Credential Reset: Force reset of credentials for all local admin accounts on edge appliances.

Hardening Recommendations

Immediate (24 Hours):

  • Patch CVE-2026-20131 & CVE-2025-5777: Apply the Cisco and Citrix patches immediately. If patching is delayed, block management interfaces (TCP 443/80) from the public internet, restricting access to VPN-only ranges.
  • Disable SmarterMail Alternate Paths: If running SmarterMail, ensure the vulnerable legacy paths mentioned in CVE-2026-23760 are blocked via WAF.

Short-term (2 Weeks):

  • Network Segmentation: Move management interfaces of security appliances (Firewalls/ADCs) to a dedicated OOB (Out-of-Band) management VLAN.
  • Implement MFA: Enforce FIDO2 or certificate-based authentication for all remote access and administrative portals.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangcoinbasecartelransomwarecisco-fmccitrix-netscalersmartermailthreat-intel

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action