Ransomware Threat Actors Combining Legitimate Software with Custom Malware to Bypass Detection

The cybersecurity landscape is increasingly threatened by the sophisticated tactics employed by the Crypto24 ransomware group. This emerging operation has demonstrated a notable evolution in its attack methodology, seamlessly integrating legitimate administrative tools with custom-developed malware to execute precision strikes against high-value targets. Crypto24 has successfully compromised organisations across Asia, Europe, and the United States, particularly focusing on sectors such as Financial Services, Manufacturing, Entertainment, and Technology. Unlike traditional ransomware campaigns that primarily rely on encryption, Crypto24 operators exhibit exceptional operational maturity by strategically timing their attacks during off-peak hours. This approach minimises detection risks while maximising impact potential. Their arsenal includes legitimate tools like PSExec for lateral movement, AnyDesk for persistent remote access, and keyloggers for credential harvesting, all cleverly integrated with Google Drive for stealthy data exfiltration. The group’s advanced technical expertise is further highlighted by their deployment of a customised version of RealBlindingEDR, an open-source tool designed to disable security solutions, which Trend Micro analysts have identified as particularly dangerous due to its ability to neutralise modern defensive mechanisms.

What distinguishes Crypto24 from other ransomware operations is their methodical approach to understanding enterprise security stacks. The group has systematically studied defensive architectures and developed purpose-built tools to exploit identified weaknesses, marking a dangerous shift from opportunistic attacks to targeted, intelligence-driven operations. This level of patience and strategic planning is uncommon in commodity ransomware. The most concerning aspect of Crypto24’s methodology lies in their masterful exploitation of legitimate Windows utilities to achieve malicious objectives while maintaining operational stealth. They leverage gpscript.exe, a legitimate Group Policy utility, to remotely execute security software uninstallers from network shares, effectively removing endpoint protection before lateral movement phases. Their persistence mechanisms reveal a sophisticated understanding of Windows architecture, as they create multiple administrative accounts with generic names to avoid detection during routine security audits. Using standard net.exe commands, they establish privileged access. Their reconnaissance capabilities are equally advanced, employing batch files like 1.bat to gather comprehensive system intelligence through Windows Management Instrumentation Commands (WMIC). 

Categories: Ransomware Operations, Cybersecurity Threats, Advanced Attack Methodologies 

Tags: Crypto24, Ransomware, Cybersecurity, Malware, Financial Services, Lateral Movement, Data Exfiltration, Endpoint Protection, Reconnaissance, Evasion Tactics