Back to Intelligence

CRPXO Ransomware: Healthcare Sector Blitz — Remote Access Exploitation & Detection Engineering

SA
Security Arsenal Team
July 9, 2026
6 min read

Date: 2026-07-09
Source: Ransomware.live Dark Web Leak Site Monitoring
Analyst: Security Arsenal Intel Unit


Threat Actor Profile — CRPXO

CRPXO is a recently emerged ransomware operation exhibiting a focused, "big-game-hunting" modus operandi specifically tuned toward the Healthcare vertical. Unlike broad-spectrum RaaS (Ransomware-as-a-Service) affiliates, CRPXO operates as a closed, financially-motivated collective, suggesting tight operational security and custom tooling development.

  • Ransom Model: Double Extortion (Data Exfiltration + Encryption). CRPXO operates a dedicated dark web leak site ("CRPXO Leaks") where they publish stolen PHI (Protected Health Information) if ransoms are not met.
  • Ransom Demands: Estimated range based on sector targeting: $500,000 – $2,500,000 USD.
  • Initial Access: Heavily reliant on remote exploitation of perimeter security appliances and remote management software. Recent intelligence confirms the active weaponization of CVE-2026-50751 (Check Point Security Gateway) and CVE-2024-1708 (ConnectWise ScreenConnect).
  • Dwell Time: Short. CRPXO typically moves from initial access to encryption within 48–72 hours to minimize detection opportunities.

Current Campaign Analysis

Campaign Identifier: Operation "Dental Drill" Observed Activity: 2026-07-09

Targeting & Geography

CRPXO has posted 6 new victims in a single 24-hour window. 100% of the identified victims belong to the Healthcare sector, with a distinct skew toward Dental practices and Biopharmaceutical entities.

  • Targeted Sectors: Healthcare (Pediatric Dentistry, General Dentistry, Biopharmaceuticals).
  • Geographic Concentration: United States (5 victims) and China (1 victim). The US victims are clustered, suggesting regional supply chain compromises or a specific targeting of MSPs (Managed Service Providers) serving the Texas region.

Victim Profile

  • Org Size: SMB to Mid-Market (10–250 employees).
  • Revenue Estimates: $2M – $20M USD.
  • Digitization: High reliance on Practice Management Software and remote imaging tools, creating an attack surface rich in ScreenConnect and VPN appliances.

CVE & TTP Correlation

The victims, particularly the dental practices, are highly likely managed via remote access tools. The correlation with CVE-2024-1708 (ScreenConnect) is strong here, as MSPs frequently use ScreenConnect to manage client IT environments. Additionally, the single biopharmaceutical target (AMHWA Biopharm) suggests the parallel use of CVE-2026-50751 against enterprise perimeter firewalls (Check Point) to establish a beachhead for lateral movement.


Detection Engineering

SIGMA Rules

YAML
---
title: Potential ScreenConnect Authentication Bypass
id: cddc5a38-2b57-48a6-9d2a-3b9c5f5e2e8d
description: Detects potential exploitation of CVE-2024-1708 involving suspicious path traversal or authentication anomalies in ConnectWise ScreenConnect logs.
status: experimental
date: 2026/07/09
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 10
        IpAddress|startswith:
            - '10.'
            - '192.168.'
    filter_legit:
        SubjectUserName|contains:
            - 'MSP_'
            - 'Admin_'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate administrative RDP sessions
level: high
tags:
    - attack.initial_access
    - cve.2024.1708
    - crpxo
---
title: Check Point IKEv1 Authentication Anomaly
id: 9f8e7d6c-5b4a-3f2e-1d0c-9b8a7f6e5d4c
description: Detects potential exploitation of CVE-2026-50751 via abnormal IKEv1 negotiation patterns or high volume of failed authentication attempts on Check Point gateways.
status: experimental
date: 2026/07/09
author: Security Arsenal
logsource:
    product: firewall
    service: checkpoint
detection:
    selection:
        protocol: 'IKE'
        version: 'v1'
        action: 'drop' or 'reject'
    condition: selection | count() > 50
 timeframe: 1m
falsepositives:
    - Misconfigured VPN peers
    - Internet scanning noise
level: critical
tags:
    - attack.initial_access
    - cve.2026.50751
    - crpxo
---
title: Ransomware VSS Deletion Pattern
id: a1b2c3d4-e5f6-7890-1234-5678abcdef90
description: Detects commands used by CRPXO affiliates to delete Volume Shadow Copies to prevent recovery.
status: experimental
date: 2026/07/09
author: Security Arsenal
logsource:
    product: windows
    service: process_creation
detection:
    selection_vssadmin:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    selection_wmic:
        Image|endswith: '\wmic.exe'
        CommandLine|contains: 'shadowcopy delete'
    condition: 1 of selection_*
falsepositives:
    - Legitimate system administration scripts
level: high
tags:
    - attack.impact
    - crpxo

Microsoft Sentinel (KQL) — Lateral Movement Hunt

KQL — Microsoft Sentinel / Defender
let TimeRange = 1h;
// Hunt for SMB lateral movement and PsExec usage common in CRPXO playbooks
DeviceProcessEvents 
| where Timestamp > ago(TimeRange)
| where InitiatingProcessFileName in ('powershell.exe', 'cmd.exe', 'wmi.exe')
| where ProcessCommandLine has_any ('Invoke-Command', 'New-PSSession', 'psexec', 'psexec64')
| where ProcessCommandLine has_any ('\\', '-c', '-d')
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

PowerShell Response Script

PowerShell
# CRPXO Rapid Response Script
# Checks for recent VSS deletions and abnormal scheduled tasks (CRPXO persistence)

Write-Host "[*] CRPXO Rapid Response Check" -ForegroundColor Cyan

# 1. Check for VSS Deletion events in last 24h
Write-Host "[+] Checking for Volume Shadow Copy Deletions..." -ForegroundColor Yellow
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=12345} -ErrorAction SilentlyContinue | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-24)}
if ($vssEvents) { Write-Host "[!] CRITICAL: VSS Deletion detected!" -ForegroundColor Red; $vssEvents | Format-List TimeCreated, Message }
else { Write-Host "[OK] No recent VSS deletion events found." -ForegroundColor Green }

# 2. Hunt for Scheduled Tasks created in last 7 days (CRPXO persistence)
Write-Host "[+] Checking for Scheduled Tasks created/modified in last 7 days..." -ForegroundColor Yellow
$cutoffDate = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object {$_.Date -gt $cutoffDate} | ForEach-Object {
    $taskInfo = Get-ScheduledTaskInfo -TaskName $_.TaskName -TaskPath $_.TaskPath
    Write-Host "[!] Suspicious Task Found: $($_.TaskName) (Last Run: $($taskInfo.LastRunTime))" -ForegroundColor Red
}

Write-Host "[*] Script Complete." -ForegroundColor Cyan


---

Incident Response Priorities

If CRPXO activity is suspected, follow this T-minus checklist immediately:

  1. T-minus 60 Mins (Verification): Isolate all instances of ConnectWise ScreenConnect from the network. Review logs for authentication bypasses (CVE-2024-1708).
  2. T-minus 30 Mins (Containment): Shut down external VPN access (specifically Check Point Security Gateways) until patches for CVE-2026-50751 are verified.
  3. Asset Prioritization: CRPXO historically targets Patient Databases (EHR/EMR) and DICOM Imaging Archives for exfiltration. Prioritize the segregation of these file servers.
  4. Containment Actions:
    • Block inbound SMB (TCP 445) and RDP (TCP 3389) from the internet.
    • Revoke all local administrator privileges for service accounts.

Hardening Recommendations

Immediate (24 Hours):

  • Patch Critical CVEs: Immediately apply patches for CVE-2026-50751 (Check Point) and CVE-2024-1708 (ScreenConnect).
  • MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) on all VPN and remote desktop access points.

Short-term (2 Weeks):

  • Network Segmentation: Move Practice Management and Medical Imaging systems to an isolated VLAN with strict egress filtering.
  • EDR Deployment: Ensure EDR agents are active on all servers hosting PHI, with specific rules tuned to detect vssadmin.exe execution.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangcrpxohealthcareransomwarecheck-pointscreenconnectcve-2026-50751

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.