Back to Intelligence

M3RX Ransomware Gang: 3 New Victims Posted — Business Services Targeted & Critical CVE Exploitation

SA
Security Arsenal Team
July 12, 2026
6 min read

Overview: M3RX is a relatively new but aggressive ransomware operation utilizing a RaaS (Ransomware-as-a-Service) model with a growing affiliate network. They distinguish themselves through rapid exploitation of newly disclosed vulnerabilities in perimeter security appliances, moving from initial access to encryption in under 72 hours.

Tactics & Operations:

  • Ransom Demands: Typically range from $500,000 to $2 million, varying by victim revenue.
  • Initial Access: Heavily reliant on exploiting edge devices (VPN gateways, Firewalls) and remote management software (RMM). Phishing is observed but secondary to vulnerability scanning.
  • Extortion Model: Strict double extortion. Data is exfiltrated prior to encryption and hosted on their Tor leak site. They threaten DDoS attacks if contact is not established within 48 hours.
  • Dwell Time: Short. Average dwell time is approximately 3-4 days, suggesting automated exploitation tools linked to the CISA KEV list.

Current Campaign Analysis

Campaign Dates: 2026-07-12 (Live Pulse)

Sector Focus: The recent postings indicate a pivot towards Business Services. Two out of three victims (foreconinc.com, wrtworld.com) fall into this sector. The third victim (eclective.ie) is uncategorized but fits the profile of a mid-sized service provider. Business services are prime targets as they often possess privileged access to larger downstream clients (supply chain jumping).

Geographic Concentration:

  • United States (US): 2 victims
  • Ireland (IE): 1 victim

Victim Profile: Based on the identified targets, M3RX is currently hunting mid-market organizations (revenue $10M - $100M). These organizations often have robust internet-facing infrastructure (necessary for business services) but may lag in patching cycle latency compared to enterprise giants.

CVE Correlation & Attack Vector: The recent victims correlate strongly with the active exploitation of CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2026-50751 (Check Point Security Gateway).

  • ConnectWise ScreenConnect: Widely used by Managed Service Providers (MSPs) and IT teams within the Business Services sector.
  • Check Point Gateway: A staple for US-based business services requiring secure VPN tunnels.

Escalation Pattern: The posting of 3 victims on a single day (2026-07-12) after a low volume (3 in last 100) suggests a "bulk-breach" event, likely through a single exploited vulnerability (e.g., a mass scan for unpatched ScreenConnect instances) followed by manual deployment on high-value targets.


Detection Engineering

Sigma Rules

YAML
---
title: Potential ConnectWise ScreenConnect Authentication Bypass
id: 8a1b2c3d-4e5f-6789-0abc-def123456789
description: Detects potential exploitation of CVE-2024-1708 involving path traversal or anomalous authentication attempts in ScreenConnect logs.
status: experimental
author: Security Arsenal
date: 2026/07/12
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|contains: 'ScreenConnect'
        CommandLine|contains:
            - '..\..\'
            - '%windir%'
    condition: selection
falsepositives:
    - Legitimate administrative debugging (rare)
level: critical
---
title: Check Point VPN IKEv1 Anomalies
id: 9b2c3d4e-5f6a-7890-1bcd-ef234567890a
description: Identifies suspicious IKEv1 key exchange patterns indicative of CVE-2026-50751 exploitation attempts on Check Point Gateways.
status: experimental
author: Security Arsenal
date: 2026/07/12
logsource:
    product: firewall
    service: vpn
detection:
    selection_ike:
        protocol: 'IKEv1'
    selection_suspicious:
        action: 'accept' # Successful auth during exploit phase
        src_ip|startswith:
            - '10.' # Tunnel traffic indicating potential pivot
    filter_legit:
        user_name: 'svc_account_known' # Add known service accounts
    condition: selection_ike and selection_suspicious and not filter_legit
falsepositives:
    - Legacy VPN client reconnections
level: high
---
title: Ransomware Data Staging via High-Volume Archive Creation
id: 0c3d4e5f-6a7b-8901-2cde-f345678901bc
description: Detects rapid creation of high-volume archives (7z, rar, zip) often used by M3RX for data exfiltration prior to encryption.
status: experimental
author: Security Arsenal
date: 2026/07/12
logsource:
    category: process_creation
    product: windows
detection:
    selection_archiver:
        Image|endswith:
            - '\7z.exe'
            - '\winrar.exe'
            - '\rar.exe'
    selection_flags:
        CommandLine|contains:
            - '-m0'
            - '-m1' # Fastest compression methods used for speed
            - '-p' # Password protected
    selection_speed:
        CreationTime < 5m # Creating large archives quickly
    condition: all of selection_*
falsepositives:
    - Legitimate system backups
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and staging indicators associated with M3RX
DeviceProcessEvents
| where Timestamp > ago(3d)
// Targeting specific tools used in M3RX campaigns
| where ProcessCommandLine has "psexec" or 
    ProcessCommandLine has "wmic process call create" or 
    FileName has "rclone" or 
    FileName has "cobaltstrike"
// Exclude common admin noise
| where InitiatingProcessAccountName != "SYSTEM" 
| where InitiatingProcessFileName != "powershell.exe" 
| project Timestamp, DeviceName, AccountName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountName
| order by Timestamp desc

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    Rapid Response Script for M3RX Indicators
.DESCRIPTION
    Checks for evidence of data staging, shadow copy deletion, and suspicious scheduled tasks.
#>

Write-Host "[+] Checking for Shadow Copy Manipulation (VssAdmin/WMI)..." -ForegroundColor Yellow
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue | 
    Where-Object {$_.Message -match 'VSSADMIN|shadowcopy|delete'}
if ($vssEvents) { $vssEvents | Select-Object TimeCreated, Message | Format-Table -AutoSize } 
else { Write-Host "No suspicious VSS events found." -ForegroundColor Green }

Write-Host "\n[+] Enumerating Scheduled Tasks created in last 24h..." -ForegroundColor Yellow
$suspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddHours(-24) }
if ($suspiciousTasks) { $suspiciousTasks | Select-Object TaskName, Date, Author, Actions | Format-Table -AutoSize } 
else { Write-Host "No recent suspicious tasks found." -ForegroundColor Green }

Write-Host "\n[+] Scanning for High-Volume Archive Files (modified in 24h)..." -ForegroundColor Yellow
$archives = Get-ChildItem -Path C:\ -Include *.7z, *.rar, *.zip -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-24) -and $_.Length -gt 100MB }
if ($archives) { $archives | Select-Object FullName, LastWriteTime, Length | Format-Table -AutoSize } 
else { Write-Host "No large recent archives found." -ForegroundColor Green }


---

# Incident Response Priorities

**T-Minus Detection Checklist (Pre-Encryption):**
1.  **RMM Logs:** Audit ConnectWise ScreenConnect logs for failed logins or path traversal strings (e.g., `..\..\`).
2.  **VPN Logs:** Review Check Point logs for IKEv1 connections from non-corporate IP ranges.
3.  **Process Hunter:** Scan endpoints for `cmd.exe` or `powershell.exe` spawning `7z.exe` or `rclone.exe`.

**Critical Assets at Risk:**
*   **Active Directory Database (NTDS.dit):** High priority for credential dumping.
*   **Customer Data Repositories:** File servers containing PII/PCI data for business services clients.
*   **Financial Systems:** ERP databases for extortion leverage.

**Containment Actions (Order of Urgency):**
1.  **Disconnect VPN:** Terminate all active VPN sessions and force a credential reset for all VPN users.
2.  **Isolate RMM:** If ConnectWise ScreenConnect is suspected, immediately disable the external-facing web interface and move the service to an internal management VLAN.
3.  **Segmentation:** Cut off VLANs containing business services file servers from the rest of the network.

---

# Hardening Recommendations

**Immediate (24 Hours):**
*   **Patch CVE-2024-1708:** Apply the ConnectWise ScreenConnect patch immediately to all instances.
*   **Patch CVE-2026-50751:** Update Check Point Security Gateways to the latest version that mitigates the IKEv1 authentication bypass.
*   **MFA Enforcement:** Ensure hardware token or FIDO2 MFA is enforced on all VPN and RMM access points.

**Short-term (2 Weeks):**
*   **Network Segmentation:** Implement a "Zero Trust" access model for internal RMM tools. Ensure RMM agents cannot communicate directly with the internet if not required.
*   **E-DR Deployment:** Ensure all servers hosting business services data have Endpoint Detection and Response (EDR) agents installed and actively logging.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangm3rxransomwarebusiness-servicescve-2024-1708check-pointlateral-movement

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.