Crypto24 Ransomware Group Blends Legitimate Tools with Custom Malware for Stealth Attacks

Crypto24 has been targeting high-profile entities within large corporations and enterprise-level organizations. The scale and sophistication of recent attacks indicate a deliberate focus on organizations possessing substantial operational and financial assets. The group has focused its efforts on organizations in Asia, Europe, and the USA. Meanwhile, its targets include companies in the financial services, manufacturing, entertainment, and technology sectors.

A threat actor using a customized anti-EDR tool such as RealBlindingEDR—potentially exploiting new or unknown vulnerable drivers—could target several endpoints; however, the success of such an attack would depend on the strength and completeness of the security controls implemented on each endpoint.

While behavioral solutions and pattern detections may effectively block the attack, endpoints with weaker security configurations or disabled protections could remain susceptible. In such cases, an attacker could gain access and perform actions such as uninstalling security solutions via administrative scripts and remote desktop with elevated privileges.

Enabling agent self-protection on Windows prevents local users from tampering or removing Trend’s agent. Furthermore, activating Trend’s Self-Protection feature ensures that local users cannot tamper with or uninstall any Trend products, preserving endpoint integrity and safeguarding critical security controls.

The Crypto24 ransomware campaign highlights the escalating operational sophistication and adaptability of modern threat actors. By leveraging a strategic combination of legitimate IT tools—including PsExec, AnyDesk, and Group Policy utilities—alongside Living Off the Land Binaries (LOLBins), custom malware, and advanced evasion techniques, the operators successfully gain initial access, execute lateral movement, and establish persistent footholds within targeted environments.

Our analysis reveals that Crypto24’s operators are fully capable of identifying and targeting security-specific controls, including EDR solutions, and employing purpose-built tools to bypass defenses. The attackers demonstrate a clear understanding of enterprise defense stacks and an ability to circumvent them.

Crypto24 serves as a warning that modern ransomware groups are highly adaptive, blending in with normal IT operations while deploying attacks. As threat actors continue to study and maneuver around existing defenses, it is important for defenders to remain agile and continually evaluate, update, and reinforce their cybersecurity posture.

Rapid incident response remains a critical part of an organization’s security posture. When threat actors are able to maintain a presence within a network over an extended period, they can map the environment, compile custom ransomware binaries, and conduct extensive data exfiltration before executing a final attack. Proactive detection, timely investigation, and swift remediation are essential to disrupting such activities and minimizing potential impact.

Building on the guidance outlined in the “Enabling Agent Self-Protection” section, the following recommendations can further help organizations strengthen their defenses against advanced, multi-layered attacks such as those employed by Crypto24.

• Regularly audit and limit the creation and use of privileged accounts; disable unused default administrative accounts.
• Limit RDP and remote tool usage (e.g., PsExec, AnyDesk) to authorized systems; enable MFA and routinely review firewall configurations.
• Detect and investigate unusual uses of built-in Windows utilities and third-party remote access tools for signs of lateral movement.
• Ensure EDR and other security solutions are up-to-date and continuously monitored for attempted uninstallation or bypass.
• A: Regularly inspect scheduled tasks and service creations for unauthorized or suspicious activity.
• Monitor for unauthorized changes to key system files and unusual outbound traffic, such as data exfiltration to cloud storage.
• Keep regular, offline backups and routinely verify that restoration processes function as intended.
• Ensure that all systems, especially those with administrative access, have proper security agent coverage and monitoring.
•  Implement a Zero Trust Framework that operates on the principle of “never trust, always verify.
• Train users on phishing and credential risks and maintain an effective incident response strategy.

Trend Vision One️™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This holistic approach helps enterprises predict and prevent threats, accelerating proactive security outcomes across their respective digital estate. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation, especially in the cases of novel ransomware variants as in the one discussed in this blog.

To stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights, which provides the latest insights from Trend Research on emerging threats and threat actors. 

Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.    

eventSubId: 101 AND parentFilePath: “C:\Windows\System32\svchost.exe” AND parentCmd: /\-k WinMainSvc/ AND objectFilePath: /Windows\\tmp\\.+_\d{4}\.log/

More hunting queries are available for Trend Vision One customers with Threat Insights entitlement enabled. 

Indicators of Compromise

The indicators of compromise for this entry can be found here.

Read More HERE