Date: 2026-07-09
Source: Ransomware.live Dark Web Leak Site Monitoring
Analyst: Security Arsenal Intel Unit
Threat Actor Profile — CRPXO
CRPXO is a recently emerged ransomware operation exhibiting a focused, "big-game-hunting" modus operandi specifically tuned toward the Healthcare vertical. Unlike broad-spectrum RaaS (Ransomware-as-a-Service) affiliates, CRPXO operates as a closed, financially-motivated collective, suggesting tight operational security and custom tooling development.
- Ransom Model: Double Extortion (Data Exfiltration + Encryption). CRPXO operates a dedicated dark web leak site ("CRPXO Leaks") where they publish stolen PHI (Protected Health Information) if ransoms are not met.
- Ransom Demands: Estimated range based on sector targeting: $500,000 – $2,500,000 USD.
- Initial Access: Heavily reliant on remote exploitation of perimeter security appliances and remote management software. Recent intelligence confirms the active weaponization of CVE-2026-50751 (Check Point Security Gateway) and CVE-2024-1708 (ConnectWise ScreenConnect).
- Dwell Time: Short. CRPXO typically moves from initial access to encryption within 48–72 hours to minimize detection opportunities.
Current Campaign Analysis
Campaign Identifier: Operation "Dental Drill" Observed Activity: 2026-07-09
Targeting & Geography
CRPXO has posted 6 new victims in a single 24-hour window. 100% of the identified victims belong to the Healthcare sector, with a distinct skew toward Dental practices and Biopharmaceutical entities.
- Targeted Sectors: Healthcare (Pediatric Dentistry, General Dentistry, Biopharmaceuticals).
- Geographic Concentration: United States (5 victims) and China (1 victim). The US victims are clustered, suggesting regional supply chain compromises or a specific targeting of MSPs (Managed Service Providers) serving the Texas region.
Victim Profile
- Org Size: SMB to Mid-Market (10–250 employees).
- Revenue Estimates: $2M – $20M USD.
- Digitization: High reliance on Practice Management Software and remote imaging tools, creating an attack surface rich in ScreenConnect and VPN appliances.
CVE & TTP Correlation
The victims, particularly the dental practices, are highly likely managed via remote access tools. The correlation with CVE-2024-1708 (ScreenConnect) is strong here, as MSPs frequently use ScreenConnect to manage client IT environments. Additionally, the single biopharmaceutical target (AMHWA Biopharm) suggests the parallel use of CVE-2026-50751 against enterprise perimeter firewalls (Check Point) to establish a beachhead for lateral movement.
Detection Engineering
SIGMA Rules
---
title: Potential ScreenConnect Authentication Bypass
id: cddc5a38-2b57-48a6-9d2a-3b9c5f5e2e8d
description: Detects potential exploitation of CVE-2024-1708 involving suspicious path traversal or authentication anomalies in ConnectWise ScreenConnect logs.
status: experimental
date: 2026/07/09
author: Security Arsenal
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 10
IpAddress|startswith:
- '10.'
- '192.168.'
filter_legit:
SubjectUserName|contains:
- 'MSP_'
- 'Admin_'
condition: selection and not filter_legit
falsepositives:
- Legitimate administrative RDP sessions
level: high
tags:
- attack.initial_access
- cve.2024.1708
- crpxo
---
title: Check Point IKEv1 Authentication Anomaly
id: 9f8e7d6c-5b4a-3f2e-1d0c-9b8a7f6e5d4c
description: Detects potential exploitation of CVE-2026-50751 via abnormal IKEv1 negotiation patterns or high volume of failed authentication attempts on Check Point gateways.
status: experimental
date: 2026/07/09
author: Security Arsenal
logsource:
product: firewall
service: checkpoint
detection:
selection:
protocol: 'IKE'
version: 'v1'
action: 'drop' or 'reject'
condition: selection | count() > 50
timeframe: 1m
falsepositives:
- Misconfigured VPN peers
- Internet scanning noise
level: critical
tags:
- attack.initial_access
- cve.2026.50751
- crpxo
---
title: Ransomware VSS Deletion Pattern
id: a1b2c3d4-e5f6-7890-1234-5678abcdef90
description: Detects commands used by CRPXO affiliates to delete Volume Shadow Copies to prevent recovery.
status: experimental
date: 2026/07/09
author: Security Arsenal
logsource:
product: windows
service: process_creation
detection:
selection_vssadmin:
Image|endswith: '\vssadmin.exe'
CommandLine|contains: 'delete shadows'
selection_wmic:
Image|endswith: '\wmic.exe'
CommandLine|contains: 'shadowcopy delete'
condition: 1 of selection_*
falsepositives:
- Legitimate system administration scripts
level: high
tags:
- attack.impact
- crpxo
Microsoft Sentinel (KQL) — Lateral Movement Hunt
let TimeRange = 1h;
// Hunt for SMB lateral movement and PsExec usage common in CRPXO playbooks
DeviceProcessEvents
| where Timestamp > ago(TimeRange)
| where InitiatingProcessFileName in ('powershell.exe', 'cmd.exe', 'wmi.exe')
| where ProcessCommandLine has_any ('Invoke-Command', 'New-PSSession', 'psexec', 'psexec64')
| where ProcessCommandLine has_any ('\\', '-c', '-d')
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, FolderPath
| order by Timestamp desc
PowerShell Response Script
# CRPXO Rapid Response Script
# Checks for recent VSS deletions and abnormal scheduled tasks (CRPXO persistence)
Write-Host "[*] CRPXO Rapid Response Check" -ForegroundColor Cyan
# 1. Check for VSS Deletion events in last 24h
Write-Host "[+] Checking for Volume Shadow Copy Deletions..." -ForegroundColor Yellow
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=12345} -ErrorAction SilentlyContinue | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-24)}
if ($vssEvents) { Write-Host "[!] CRITICAL: VSS Deletion detected!" -ForegroundColor Red; $vssEvents | Format-List TimeCreated, Message }
else { Write-Host "[OK] No recent VSS deletion events found." -ForegroundColor Green }
# 2. Hunt for Scheduled Tasks created in last 7 days (CRPXO persistence)
Write-Host "[+] Checking for Scheduled Tasks created/modified in last 7 days..." -ForegroundColor Yellow
$cutoffDate = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object {$_.Date -gt $cutoffDate} | ForEach-Object {
$taskInfo = Get-ScheduledTaskInfo -TaskName $_.TaskName -TaskPath $_.TaskPath
Write-Host "[!] Suspicious Task Found: $($_.TaskName) (Last Run: $($taskInfo.LastRunTime))" -ForegroundColor Red
}
Write-Host "[*] Script Complete." -ForegroundColor Cyan
---
Incident Response Priorities
If CRPXO activity is suspected, follow this T-minus checklist immediately:
- T-minus 60 Mins (Verification): Isolate all instances of ConnectWise ScreenConnect from the network. Review logs for authentication bypasses (CVE-2024-1708).
- T-minus 30 Mins (Containment): Shut down external VPN access (specifically Check Point Security Gateways) until patches for CVE-2026-50751 are verified.
- Asset Prioritization: CRPXO historically targets Patient Databases (EHR/EMR) and DICOM Imaging Archives for exfiltration. Prioritize the segregation of these file servers.
- Containment Actions:
- Block inbound SMB (TCP 445) and RDP (TCP 3389) from the internet.
- Revoke all local administrator privileges for service accounts.
Hardening Recommendations
Immediate (24 Hours):
- Patch Critical CVEs: Immediately apply patches for CVE-2026-50751 (Check Point) and CVE-2024-1708 (ScreenConnect).
- MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) on all VPN and remote desktop access points.
Short-term (2 Weeks):
- Network Segmentation: Move Practice Management and Medical Imaging systems to an isolated VLAN with strict egress filtering.
- EDR Deployment: Ensure EDR agents are active on all servers hosting PHI, with specific rules tuned to detect
vssadmin.exeexecution.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.