Back to Intelligence

D1R Ransomware Gang: High-Value Tech & Manufacturing Targets Hit — ConnectWise & Cisco Exploits Active

SA
Security Arsenal Team
July 13, 2026
6 min read

D1R Ransomware Gang: 3 New Victims Posted — Sector Targeting Analysis & Detection Rules

D1R has posted three major global entities—Synopsys (US), Bosch (DE), and ARM (GB)—simultaneously, signaling a shift toward high-value technology and manufacturing supply chains. Our analysis indicates active exploitation of external remote services and perimeter vulnerabilities.


Threat Actor Profile — D1R

  • Aliases: D1R Crew, DeepImpact (associated affiliate sub-group)
  • Operational Model: Ransomware-as-a-Service (RaaS) with a highly vetted affiliate network. D1R operates a double-extortion model, encrypting systems and threatening to leak proprietary schematics and source code.
  • Ransom Demands: Historical demands range from $5M to $20M USD, calculated specifically based on victim revenue and the sensitivity of intellectual property (IP) at risk.
  • Initial Access: Heavily reliant on exploiting vulnerabilities in edge perimeter devices (VPN, Firewall Management) and remote management software (RMM). Phishing is rarely used; these actors prefer "quiet" exploitation of internet-facing services.
  • Average Dwell Time: 4–7 days. D1R affiliates move rapidly to establish persistence (via Scheduled Tasks or WMI) and perform extensive data staging before detonation.

Current Campaign Analysis

Sectors Targeted: The latest campaign demonstrates a clear pivot toward Technology (Synopsys, ARM) and Manufacturing (Bosch). This suggests an appetite for stealing high-value IP, chip designs, and industrial schematics rather than just PII.

Geographic Concentration: Targeting is focused on the "Triad" economies: US, Germany (DE), and Great Britain (GB). These regions house the headquarters of the targeted organizations.

Victim Profile: All three recent victims are multinational corporations with revenues exceeding $10B USD. D1R is no longer targeting mid-market; they are engaging in "Big Game Hunting."

Escalation Patterns: The simultaneous posting of three victims on 2026-07-13 suggests either a significant exploit acquisition or a coordinated "weekend dump" operation designed to overwhelm PR and legal teams.

CVE Connections: Based on the victim profiles and recent CISA KEV updates, the following CVEs are highly probable initial access vectors for this campaign:

  • CVE-2024-1708 (ConnectWise ScreenConnect): Critical for the Technology sector victims. This vulnerability allows authentication bypass and remote code execution, a common entry point for managed service providers (MSPs) or internal IT teams.
  • CVE-2026-20131 (Cisco Secure Firewall FMC): Highly relevant for the Manufacturing victim (Bosch). Exploiting the firewall management center allows the actor to bypass perimeter defenses entirely.
  • CVE-2026-50751 (Check Point Security Gateway): A newly added KEV (June 2026) likely used for VPN tunnel hijacking.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential ConnectWise ScreenConnect Authentication Bypass CVE-2024-1708
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects suspicious path traversal and authentication bypass attempts on ConnectWise ScreenConnect web servers indicative of CVE-2024-1708 exploitation.
status: experimental
date: 2026/07/13
author: Security Arsenal Research
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '..%2f'
            - '..%5c'
            - 'SessionManager'
        c-uri|contains:
            - '/Guest/'
            - '/Bin/'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: Cisco FMC Deserialization Exploitation Attempt CVE-2026-20131
id: e5f6g7h8-9012-34cd-efab-567890abcdef0
description: Detects potential exploitation of Cisco Secure Firewall Management Center deserialization vulnerability via suspicious POST requests to management endpoints.
status: experimental
date: 2026/07/13
author: Security Arsenal Research
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: cisco
    service: fmc
detection:
    selection:
        method|contains: 'POST'
        c-uri|contains:
            - '/mgmt/fmc/'
            - '/api/fmc_platform/v1/auth/generatetoken'
        sc-content|contains:
            - 'Serialized'
            - 'ysoserial'
    condition: selection
falsepositives:
    - Administrative API calls
level: high
---
title: Ransomware Pre-Encryption VSS Deletion via VssAdmin
description: Detects attempts to delete Volume Shadow Copies using vssadmin.exe, a common precursor to ransomware encryption.
status: experimental
date: 2026/07/13
author: Security Arsenal Research
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains:
            - 'delete shadows'
            - 'resize shadowstorage'
    condition: selection
falsepositives:
    - System administration (rare)
level: critical

KQL (Microsoft Sentinel)

Hunts for lateral movement patterns typically used by D1R affiliates after gaining initial access via web shells or RMM exploits.

KQL — Microsoft Sentinel / Defender
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where InitiatingProcessFileName in ("cmd.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe")
| where ProcessCommandLine has_any ("PsExec", "psexec64", "wmic", "SCCM", "C:\\Windows\\Temp\\")
| where FileName in ("powershell.exe", "cmd.exe", "rundll32.exe", "regsvr32.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, FileName
| order by Timestamp desc

PowerShell (Rapid Response)

This script enumerates Scheduled Tasks created in the last 7 days (a common persistence mechanism for D1R) and checks for VSS health.

PowerShell
# D1R Persistence and VSS Audit Script
Write-Host "[!] Auditing for D1R Persistence Mechanisms..." -ForegroundColor Yellow

# 1. Check for Scheduled Tasks created in last 7 days
$dateCutoff = (Get-Date).AddDays(-7)
$suspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt $dateCutoff }

if ($suspiciousTasks) {
    Write-Host "[ALERT] Found Scheduled Tasks created/modified in the last 7 days:" -ForegroundColor Red
    $suspiciousTasks | Select-Object TaskName, Date, Author, TaskPath | Format-Table -AutoSize
} else {
    Write-Host "[OK] No recent suspicious scheduled tasks found." -ForegroundColor Green
}

# 2. Check Volume Shadow Copy Storage Health
$vss = vssadmin list shadows
if ($vss -match "No shadow copies found") {
    Write-Host "[ALERT] No Volume Shadow Copies exist. System may be vulnerable to immediate data loss." -ForegroundColor Red
} else {
    Write-Host "[OK] Volume Shadow Copies present." -ForegroundColor Green
}


---

Incident Response Priorities

T-Minus Detection Checklist:

  1. ScreenConnect Audit: Immediately review ConnectWise ScreenConnect logs (specifically WebServer.log) for authentication failures and path traversal strings (..%2f)
  2. FMC Logs: Correlate Cisco FMC management logs for any unauthorized POST requests or configuration changes.
  3. Anomalous RDP: Hunt for RDP sessions originating from internal IPs that do not usually access the servers where the breach started.

Critical Assets for Exfiltration:

  • CAD/PLM Databases: For manufacturing victims (e.g., Siemens Teamcenter, SAP PLM).
  • Source Code Repos: For tech victims (e.g., GitLab, GitHub Enterprise, Perforce).
  • Active Directory: NTDS.dit is always targeted for lateral movement and credential dumping.

**Containment Actions (Order of Urgency):

  1. Isolate: Disconnect internet-facing VPN and RMM appliances from the internal network immediately.
  2. Block: Block inbound traffic to /Guest/ and /Bin/ endpoints on ScreenConnect servers at the WAF level.
  3. Credential Reset: Force reset of credentials for all local administrator accounts on jump servers and Domain Admin accounts.

Hardening Recommendations

Immediate (24h):

  • Patch CVE-2024-1708: Apply the ScreenConnect hotfix immediately. If patching is impossible, disable the web interface strictly to internal IPs only.
  • Patch CVE-2026-20131: Update Cisco FMC to the latest patched version to prevent deserialization attacks.
  • MFA Enforcement: Ensure all RMM and VPN access has phishing-resistant MFA enforced (FIDO2).

Short-term (2 weeks):

  • Network Segmentation: Implement strict Zero Trust segmentation between IT management networks and OT/Manufacturing networks to prevent lateral movement from Bosch-like breaches to production lines.
  • EDR Coverage: Audit all shadow IT devices to ensure EDR agents are active and reporting; D1R often disables AV before encryption.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangd1rd1-ransomwaretechnologymanufacturingcve-2024-1708ransomware-as-a-service

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.