Crypto24 Ransomware Targets Major Organizations Using Tailored EDR Evasion Techniques

The Crypto24 ransomware group has been employing custom utilities to evade security solutions on compromised networks, exfiltrate data, and encrypt files. The group’s earliest activity was noted on BleepingComputer forums in September 2024, although it did not achieve significant notoriety. Trend Micro researchers monitoring Crypto24’s operations reported that the hackers targeted several large organisations across the United States, Europe, and Asia, with a focus on high-value sectors such as finance, manufacturing, entertainment, and technology. The security researchers indicated that Crypto24 appears to possess a high level of expertise, suggesting it may have been formed by former core members of now-defunct ransomware operations.

After gaining initial access, Crypto24 hackers activate default administrative accounts on Windows systems within enterprise environments or create new local user accounts to maintain stealthy, persistent access. Following a reconnaissance phase that utilises a custom batch file and commands to enumerate accounts, profile system hardware, and assess disk layout, the attackers establish malicious Windows services and scheduled tasks for persistence. The first service, WinMainSvc, functions as a keylogger, while the second, MSRuntime, serves as a ransomware loader. Crypto24 operators employ a custom variant of the open-source tool RealBlindingEDR, which targets security agents from various vendors by disabling their kernel drivers. This tool extracts the company name from the driver’s metadata, compares it to a hardcoded list, and disables kernel-level hooks to evade detection. 

Categories: Ransomware Operations, Cybersecurity Evasion Techniques, Targeted Industries 

Tags: Crypto24, Ransomware, Exfiltration, Encryption, Persistence, Keylogger, RealBlindingEDR, Security Solutions, High-Value Targets, Lateral Movement