Crypto24 ransomware targets enterprises with advanced EDR evasion
▼ Summary
– The Crypto24 ransomware group uses custom tools to bypass security, steal data, and encrypt files, targeting high-value sectors like finance and tech.
– First reported in September 2024, Crypto24 is likely composed of former members of defunct ransomware operations.
– After breaching networks, Crypto24 creates or activates admin accounts, deploys keyloggers, and uses custom malware to disable security tools from multiple vendors.
– The group exfiltrates stolen data to Google Drive and deletes volume shadow copies to hinder recovery before executing ransomware.
– Trend Micro provides indicators of compromise to help defenders detect and block Crypto24 attacks early.
A sophisticated ransomware operation dubbed Crypto24 has emerged as a significant threat to enterprises worldwide, employing advanced techniques to bypass endpoint detection and response systems. Security analysts have observed this group targeting high-profile organizations across multiple continents, with particular focus on financial institutions, manufacturing firms, entertainment companies, and technology providers.
First appearing in underground forums during late 2024, Crypto24 initially flew under the radar before escalating its operations. Experts believe the group likely consists of experienced cybercriminals, possibly former members of disbanded ransomware gangs, given their technical proficiency and operational sophistication.
Once inside a network, the attackers employ a multi-stage approach to maintain persistence and evade detection. They begin by activating dormant administrative accounts or creating new local user profiles to blend in with legitimate activity. A custom reconnaissance script then maps out the environment, identifying critical systems, user accounts, and storage configurations.
The malware deploys two primary payloads:
- WinMainSvc, a stealthy keylogger disguised as a Microsoft utility
- MSRuntime, a loader that delivers the final ransomware payload
What makes Crypto24 particularly dangerous is its ability to neutralize security software. The group uses a modified version of RealBlindingEDR, an open-source tool designed to disable endpoint protection solutions. This utility scans for security agents from major vendors, including Trend Micro, Kaspersky, and SentinelOne, then disables their kernel-level monitoring capabilities.
In cases where Trend Micro’s Trend Vision One is present, the attackers leverage a legitimate uninstaller tool (XBCUninstaller.exe) to remove the security agent completely. This allows them to operate undetected while deploying additional malicious components.
Data exfiltration occurs through Google Drive, where stolen files are uploaded using a custom-built tool that interacts with Google’s API. Before encrypting files, the ransomware deletes Volume Shadow Copies to hinder recovery efforts, a common tactic among modern ransomware strains.
While technical details about the encryption method and ransom demands remain undisclosed, security teams can leverage indicators of compromise (IOCs) provided by researchers to detect and mitigate attacks early. The emergence of Crypto24 underscores the need for organizations to strengthen their defenses against increasingly evasive ransomware threats.
(Source: Bleeping Computer)
