On 2026-07-13, the D1R ransomware operation updated its dark web leak site with three high-profile victims: Synopsys (US), Bosch (DE), and ARM (GB). This marks a significant shift in targeting, focusing exclusively on large-cap Technology and Manufacturing entities across the US and Europe. Intelligence suggests D1R affiliates are actively exploiting newly disclosed vulnerabilities in perimeter security appliances, specifically Check Point Security Gateways and Cisco Secure Firewalls, to bypass traditional EDR defenses.
Threat Actor Profile — D1R
- Aliases: None currently confirmed (appears to be a rebrand or a new sophisticated private group operating without a public RaaS model).
- Operational Model: Closed-group operation. Evidence suggests tight-knit cells rather than open-access affiliate programs, given the high value of targets and specificity of tooling.
- Ransom Demands: Estimated in the tens of millions USD, correlating with victim revenue.
- Initial Access: Heavy reliance on perimeter device exploitation (VPN/Firewall zero-days) and Remote Monitoring and Management (RMM) software hijacking (e.g., ConnectWise, Nx Console).
- Extortion Strategy: Triple extortion: Data theft, encryption, and threat of DDoS if negotiated terms are leaked.
- Dwell Time: Short. Analysis indicates average dwell time of 3–5 days between initial perimeter breach and detonation.
Current Campaign Analysis
Targeting Sectors
D1R is currently executing a "Big Game Hunting" campaign, prioritizing:
- Technology: Specifically targeting semiconductor and software design firms (Synopsys, ARM) to steal high-value IP.
- Manufacturing: Focusing on industrial conglomerates (Bosch) with global supply chain footprints.
Geographic Concentration
- Primary: United States, Germany, United Kingdom.
Victim Profile
- Company Size: Fortune 500 / Global 2000 equivalents.
- Revenue Estimates: Multi-billion dollar annual revenue.
Exploited Vectors (CVE Linkage)
The campaign correlates with the exploitation of the following CISA KEV-listed vulnerabilities for initial access:
- CVE-2026-50751 (Check Point Security Gateway): Used to bypass VPN authentication and establish a foothold in the network perimeter.
- CVE-2026-20131 (Cisco Secure Firewall FMC): Likely utilized to bypass firewall management controls or pivot between network segments.
- CVE-2024-1708 (ConnectWise ScreenConnect): Observed in previous recon phases for lateral movement via managed service provider (MSP) remote access tools.
Detection Engineering
SIGMA Rules
title: Potential Check Point Gateway IKEv1 Exploitation (CVE-2026-50751)
id: 4a8f3d21-7b6c-4a9e-8f1d-2b3c4d5e6f7a
description: Detects potential exploitation of improper authentication in IKEv1 key exchange on Check Point Security Gateways as observed in D1R campaigns.
status: experimental
date: 2026/07/13
author: Security Arsenal Research
logsource:
product: firewall
service: check_point
detection:
selection:
product: 'VPN'
action: 'key_exchange'
protocol: 'IKEv1'
ike_mode|contains: 'aggressive'
condition: selection
falsepositives:
- Legitimate legacy VPN configurations using aggressive mode
level: high
tags:
- cve.2026.50751
- attack.initial_access
- detection.emerging_threats
---
title: Suspicious Cisco FMC Deserialization Activity
id: 5b9g4e32-8c7d-5b0f-9g2e-3c4d5e6f7g8b
description: Identifies signs of potential deserialization attacks targeting Cisco Secure Firewall Management Center (FMC) via suspicious web requests or script execution.
status: experimental
date: 2026/07/13
author: Security Arsenal Research
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
product: cisco
service: fmc
detection:
selection_uri:
c.uri|contains:
- '/api/fmc_config/v1/domain/'
- '/api/fmc_platform/v1/auth/'
selection_payload:
cs.method: 'POST'
c.query|contains: 'serialization'
condition: all of selection_*
falsepositives:
- Legitimate administrative API usage
level: critical
tags:
- cve.2026.20131
- attack.execution
- ransomware.d1r
---
title: Ransomware Data Staging - Mass Archive Creation
description: Detects potential data staging activity common in D1R operations involving mass creation of RAR/7z archives in user directories.
status: experimental
date: 2026/07/13
author: Security Arsenal Research
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '.rar'
- '.7z'
- '.zip'
Image|endswith:
- '\winrar.exe'
- '\7z.exe'
filter:
TargetFilename|contains:
- '\AppData\'
- '\Program Files\'
timeframe: 5m
condition: selection | count() > 5
falsepositives:
- Legitimate user backups
level: high
tags:
- attack.exfiltration
- attack.collection
- d1r
KQL (Microsoft Sentinel)
Hunts for lateral movement via remote management tools and suspicious process execution patterns associated with D1R.
// Hunt for D1R Lateral Movement and Staging
let TimeRange = ago(7d);
DeviceProcessEvents
| where Timestamp >= TimeRange
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "wmiexec.exe", "psexec.exe", "psexec64.exe") or
InitiatingProcessCommandLine has_any ("-enc", "Invoke-Expression", "DownloadString")
| where FileName in ("rar.exe", "7z.exe", "winrar.exe", "vssadmin.exe", "wbadmin.exe")
| extend HostName = DeviceName
| project Timestamp, HostName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine
| order by Timestamp desc
PowerShell Rapid Response
Script to identify potential D1R staging activity and check for vulnerable service configurations.
<#
.SYNOPSIS
D1R Ransomware Response Check
.DESCRIPTION
Checks for mass file archiving (staging), recent scheduled tasks (persistence), and queries specific services related to exploited CVEs.
#>
Write-Host "[+] Checking for mass archival activity (Exfil Staging)..." -ForegroundColor Cyan
$recentArchives = Get-ChildItem -Path C:\Users -Filter *.rar -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-24) }
if ($recentArchives) { Write-Host "[!] WARNING: Recent RAR files found: " $recentArchives.FullName -ForegroundColor Red }
Write-Host "[+] Checking for suspicious Scheduled Tasks (Persistence)..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) } | Select TaskName, Date, Author
Write-Host "[+] Checking Service Status for High-Risk Vectors..." -ForegroundColor Cyan
$services = @("CPD", "SfrMonitor", "ScreenConnect Client Service")
foreach ($svc in $services) {
$status = Get-Service -Name $svc -ErrorAction SilentlyContinue
if ($status) { Write-Host "[+] Found Service: $($svc) - Status: $($status.Status)" -ForegroundColor Yellow }
}
Incident Response Priorities
T-minus Detection Checklist (Pre-Encryption)
- Perimeter Logs: Immediate scrub of Check Point and Cisco FMC logs for IKEv1 aggressive mode requests or unexpected API calls related to CVE-2026-50751 and CVE-2026-20131.
- Remote Access: Audit ConnectWise ScreenConnect logs for successful logins from non-corporate IP ranges or unusual authentication patterns.
- Process Anomalies: Hunt for instances of
winrar.exeor7z.exespawning fromcmd.exeorpowershell.exeon servers.
Critical Assets Prioritized for Exfiltration
Based on victim profiling (Synopsys, ARM), D1R aggressively targets:
- Source code repositories (Git, SVN).
- Semiconductor design schematics (CAD files).
- Mergers and Acquisitions (M&A) data.
- Employee PII and HR databases.
Containment Actions
- Perimeter Isolation: If Check Point or Cisco devices are suspected, assume credentials are compromised. Rotate MFA keys and force re-authentication for all VPN users.
- Segmentation: Sever connections between IT and OT/Manufacturing networks immediately (critical for Bosch-like victims).
- Account Suspension: Suspend accounts of privileged users who recently authenticated via ScreenConnect or VPN from anomalous geolocations.
Hardening Recommendations
Immediate (24 Hours)
- Patch Critical CVEs: Apply patches for CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco FMC) immediately. If patching is delayed, disable affected services or enforce strict IP allow-listing.
- Disable ScreenConnect: If not strictly required for emergency operations, temporarily disable the ConnectWise ScreenConnect web interface or enable Multi-Factor Authentication (MFA) enforcement immediately.
Short-term (2 Weeks)
- Network Architecture: Implement a Zero Trust Network Access (ZTNA) model for remote access, replacing traditional VPN tunnels with application-level gateways.
- MFA Hardening: Move from push notification MFA to FIDO2/WebAuthn hardware keys for all administrator accounts on security appliances.
- Egress Filtering: Block outbound traffic to known non-business file-sharing endpoints (MEGA, Dropbox personal) and anomalous ports often used for exfiltration.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.