D1R Ransomware Gang: 3 New Victims Posted — Sector Targeting Analysis & Detection Rules
D1R has posted three major global entities—Synopsys (US), Bosch (DE), and ARM (GB)—simultaneously, signaling a shift toward high-value technology and manufacturing supply chains. Our analysis indicates active exploitation of external remote services and perimeter vulnerabilities.
Threat Actor Profile — D1R
- Aliases: D1R Crew, DeepImpact (associated affiliate sub-group)
- Operational Model: Ransomware-as-a-Service (RaaS) with a highly vetted affiliate network. D1R operates a double-extortion model, encrypting systems and threatening to leak proprietary schematics and source code.
- Ransom Demands: Historical demands range from $5M to $20M USD, calculated specifically based on victim revenue and the sensitivity of intellectual property (IP) at risk.
- Initial Access: Heavily reliant on exploiting vulnerabilities in edge perimeter devices (VPN, Firewall Management) and remote management software (RMM). Phishing is rarely used; these actors prefer "quiet" exploitation of internet-facing services.
- Average Dwell Time: 4–7 days. D1R affiliates move rapidly to establish persistence (via Scheduled Tasks or WMI) and perform extensive data staging before detonation.
Current Campaign Analysis
Sectors Targeted: The latest campaign demonstrates a clear pivot toward Technology (Synopsys, ARM) and Manufacturing (Bosch). This suggests an appetite for stealing high-value IP, chip designs, and industrial schematics rather than just PII.
Geographic Concentration: Targeting is focused on the "Triad" economies: US, Germany (DE), and Great Britain (GB). These regions house the headquarters of the targeted organizations.
Victim Profile: All three recent victims are multinational corporations with revenues exceeding $10B USD. D1R is no longer targeting mid-market; they are engaging in "Big Game Hunting."
Escalation Patterns: The simultaneous posting of three victims on 2026-07-13 suggests either a significant exploit acquisition or a coordinated "weekend dump" operation designed to overwhelm PR and legal teams.
CVE Connections: Based on the victim profiles and recent CISA KEV updates, the following CVEs are highly probable initial access vectors for this campaign:
- CVE-2024-1708 (ConnectWise ScreenConnect): Critical for the Technology sector victims. This vulnerability allows authentication bypass and remote code execution, a common entry point for managed service providers (MSPs) or internal IT teams.
- CVE-2026-20131 (Cisco Secure Firewall FMC): Highly relevant for the Manufacturing victim (Bosch). Exploiting the firewall management center allows the actor to bypass perimeter defenses entirely.
- CVE-2026-50751 (Check Point Security Gateway): A newly added KEV (June 2026) likely used for VPN tunnel hijacking.
Detection Engineering
SIGMA Rules
---
title: Potential ConnectWise ScreenConnect Authentication Bypass CVE-2024-1708
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects suspicious path traversal and authentication bypass attempts on ConnectWise ScreenConnect web servers indicative of CVE-2024-1708 exploitation.
status: experimental
date: 2026/07/13
author: Security Arsenal Research
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '..%2f'
- '..%5c'
- 'SessionManager'
c-uri|contains:
- '/Guest/'
- '/Bin/'
condition: selection
falsepositives:
- Unknown
level: critical
---
title: Cisco FMC Deserialization Exploitation Attempt CVE-2026-20131
id: e5f6g7h8-9012-34cd-efab-567890abcdef0
description: Detects potential exploitation of Cisco Secure Firewall Management Center deserialization vulnerability via suspicious POST requests to management endpoints.
status: experimental
date: 2026/07/13
author: Security Arsenal Research
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
product: cisco
service: fmc
detection:
selection:
method|contains: 'POST'
c-uri|contains:
- '/mgmt/fmc/'
- '/api/fmc_platform/v1/auth/generatetoken'
sc-content|contains:
- 'Serialized'
- 'ysoserial'
condition: selection
falsepositives:
- Administrative API calls
level: high
---
title: Ransomware Pre-Encryption VSS Deletion via VssAdmin
description: Detects attempts to delete Volume Shadow Copies using vssadmin.exe, a common precursor to ransomware encryption.
status: experimental
date: 2026/07/13
author: Security Arsenal Research
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\vssadmin.exe'
CommandLine|contains:
- 'delete shadows'
- 'resize shadowstorage'
condition: selection
falsepositives:
- System administration (rare)
level: critical
KQL (Microsoft Sentinel)
Hunts for lateral movement patterns typically used by D1R affiliates after gaining initial access via web shells or RMM exploits.
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where InitiatingProcessFileName in ("cmd.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe")
| where ProcessCommandLine has_any ("PsExec", "psexec64", "wmic", "SCCM", "C:\\Windows\\Temp\\")
| where FileName in ("powershell.exe", "cmd.exe", "rundll32.exe", "regsvr32.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, FileName
| order by Timestamp desc
PowerShell (Rapid Response)
This script enumerates Scheduled Tasks created in the last 7 days (a common persistence mechanism for D1R) and checks for VSS health.
# D1R Persistence and VSS Audit Script
Write-Host "[!] Auditing for D1R Persistence Mechanisms..." -ForegroundColor Yellow
# 1. Check for Scheduled Tasks created in last 7 days
$dateCutoff = (Get-Date).AddDays(-7)
$suspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt $dateCutoff }
if ($suspiciousTasks) {
Write-Host "[ALERT] Found Scheduled Tasks created/modified in the last 7 days:" -ForegroundColor Red
$suspiciousTasks | Select-Object TaskName, Date, Author, TaskPath | Format-Table -AutoSize
} else {
Write-Host "[OK] No recent suspicious scheduled tasks found." -ForegroundColor Green
}
# 2. Check Volume Shadow Copy Storage Health
$vss = vssadmin list shadows
if ($vss -match "No shadow copies found") {
Write-Host "[ALERT] No Volume Shadow Copies exist. System may be vulnerable to immediate data loss." -ForegroundColor Red
} else {
Write-Host "[OK] Volume Shadow Copies present." -ForegroundColor Green
}
---
Incident Response Priorities
T-Minus Detection Checklist:
- ScreenConnect Audit: Immediately review ConnectWise ScreenConnect logs (specifically
WebServer.log) for authentication failures and path traversal strings (..%2f) - FMC Logs: Correlate Cisco FMC management logs for any unauthorized
POSTrequests or configuration changes. - Anomalous RDP: Hunt for RDP sessions originating from internal IPs that do not usually access the servers where the breach started.
Critical Assets for Exfiltration:
- CAD/PLM Databases: For manufacturing victims (e.g., Siemens Teamcenter, SAP PLM).
- Source Code Repos: For tech victims (e.g., GitLab, GitHub Enterprise, Perforce).
- Active Directory: NTDS.dit is always targeted for lateral movement and credential dumping.
**Containment Actions (Order of Urgency):
- Isolate: Disconnect internet-facing VPN and RMM appliances from the internal network immediately.
- Block: Block inbound traffic to
/Guest/and/Bin/endpoints on ScreenConnect servers at the WAF level. - Credential Reset: Force reset of credentials for all local administrator accounts on jump servers and Domain Admin accounts.
Hardening Recommendations
Immediate (24h):
- Patch CVE-2024-1708: Apply the ScreenConnect hotfix immediately. If patching is impossible, disable the web interface strictly to internal IPs only.
- Patch CVE-2026-20131: Update Cisco FMC to the latest patched version to prevent deserialization attacks.
- MFA Enforcement: Ensure all RMM and VPN access has phishing-resistant MFA enforced (FIDO2).
Short-term (2 weeks):
- Network Segmentation: Implement strict Zero Trust segmentation between IT management networks and OT/Manufacturing networks to prevent lateral movement from Bosch-like breaches to production lines.
- EDR Coverage: Audit all shadow IT devices to ensure EDR agents are active and reporting; D1R often disables AV before encryption.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.