Crypto24 Ransomware Targets Large Companies with Advanced EDR Evasion

The ransomware group known as Crypto24 has been gaining ground with a rather alarming strategy: the use of custom tools to evade security solutions, steal sensitive information, and encrypt files on compromised networks.

Although their activity began to surface in online communities in September 2024, Crypto24 remained under the radar for quite some time. However, that has recently changed, as several cybersecurity experts have identified a clear escalation in their operations.

Researchers at Trend Micro, who have been closely tracking the group’s behavior, have confirmed that their targets are far from minor. Crypto24 has aimed at large organizations in the United States, Europe, and Asia, primarily focusing on high-profile companies in sectors such as finance, manufacturing, entertainment, and technology.

What stands out the most is the level of technical sophistication they display. Analysts believe the individuals behind Crypto24 have extensive experience in the cybercrime world—possibly former members of now-defunct ransomware groups.

This would explain their ability to move stealthily within protected networks and apply advanced evasion tactics, especially against Endpoint Detection and Response (EDR) systems.

In short, we are looking at a well-organized threat actor with deep knowledge of enterprise environments and a clear focus on targeting victims capable of paying large ransoms.

What do Crypto24 attackers do after gaining access?

Once Crypto24 hackers manage to gain access to a network, they don’t waste any time. The first thing they do is activate default administrative accounts on Windows systems or, in some cases, create new local accounts. All of this is done quietly, with the goal of maintaining persistent access without raising suspicion.

Next comes a meticulous reconnaissance stage. They use a custom batch script along with specific commands to collect system information, such as existing accounts, installed hardware, and disk structure. This step gives them a clear picture of the environment they are about to compromise.

With that information in hand, they move on to establish a more permanent presence. To do so, they create malicious Windows services and schedule automated tasks that allow them to run their tools without manual intervention.

Among the services they deploy, two stand out:

1. WinMainSvc, which functions as a keylogger to capture everything typed on the system.

2. MSRuntime, which acts as the ransomware loader, setting the stage for the final encryption.

All of this happens without alerting users—and often without being detected by traditional security solutions. It’s a quiet yet highly effective approach that reveals the level of planning behind Crypto24.

Commands and Processes Used to Escalate Privileges (Source: Trend Micro)

How Do They Evade Security Systems? Crypto24’s Secret Weapon

After gaining access to a corporate network, the attackers behind Crypto24 don’t just move silently—they also make sure to eliminate any obstacles that could detect their activity.

To do this, they use a modified version of RealBlindingEDR, an open-source tool originally designed for security testing purposes, but in this case, adapted with clearly malicious intent.

This customized variant is programmed to directly target security solutions from multiple vendors. It does so by disabling kernel-level drivers, which are core components of the most advanced detection systems.

Among the products it can disable are:

1. Trend Micro

2. Kaspersky

3. Sophos

4. SentinelOne

5. Malwarebytes

6. Cynet

7. McAfee

8. Bitdefender

9. Broadcom (Symantec)

10. Cisco

11. Fortinet

12. Acronis

Targeted Attacks on Trend Micro

In the specific case of Trend Micro, the attack goes a step further. If the hackers gain administrator-level access (which is common in the later stages of the attack), they execute a batch script that uninstalls the Trend Vision One security solution using a legitimate tool: XBCUninstaller.exe.

According to researchers, this action was carried out via gpscript.exe, leveraging an official tool originally designed to resolve issues within the Trend Vision One ecosystem, such as agent desynchronization.

In other words, they use the company’s own tools against it—a tactic that is becoming increasingly common in advanced cyberattacks. This not only removes protection but also does so without immediately raising suspicion.

How They Ensure They Stay Undetected

With security systems out of the way, Crypto24 deploys its custom payloads without restrictions.

1. WinMainSvc.dll: A keylogger disguised as “Microsoft Help Manager.” This malware records everything the user types, including keystrokes, active window names, and modifier keys like Ctrl, Alt, or Shift.

2. MSRuntime.dll: This is the ransomware payload itself, designed to encrypt files on the network once everything is in place.

Before encrypting the files, they delete Windows volume shadow copies, preventing easy restoration of the system to a previous state. This forces victims to consider paying the ransom if they lack external or offline backups.

Read more: Main Ransomware Actors in the First Half of 2025

Lateral Movement and Data Exfiltration

Crypto24 also showcases its sophistication in how it moves within compromised networks and extracts data without detection.

To move between machines on the same network, the attackers leverage SMB shared resources—a classic but still highly effective technique for lateral movement.

They also use temporary files and staging areas to store stolen data before exfiltrating it. But here's the twist: they don’t rely on dark web services or complex encrypted channels. Instead, they upload the data to Google Drive using a custom-built tool that leverages the WinINET API to communicate with Google’s cloud as if it were a legitimate user.

This makes the outbound traffic appear “normal” to many monitoring systems, allowing the data theft to go unnoticed—often until it’s far too late.

Overview of a Crypto24 Attack (Source: Trend Micro)

Trend Micro Remains Silent on Ransomware Details

While Trend Micro has shared key information about the technical operation of the attack, it has not disclosed specific details about the ransomware itself. Currently, there is no public information about the encryption algorithm used by Crypto24, the contents of the ransom notes, communication channels with victims, file paths, language used, or any distinctive “marks” that might link the attack to a known group.

However, the good news is that at the end of their analysis, Trend Micro included a list of Indicators of Compromise (IoCs), which can be extremely useful for other security teams to detect and block Crypto24 attacks before it's too late.

These indicators help identify early signs of malicious activity within a network, giving defenders a critical opportunity to act before the ransomware causes significant damage.

In Summary: A Surgical, Customized, and Very Hard-to-Stop Attack

Crypto24 is far from just another generic ransomware threat. This group demonstrates meticulous planning at every stage:

1. They disable security systems without triggering alerts.

2. They use legitimate tools to cover their tracks.

3. They install custom malware that is hard to detect.

4. They move swiftly within compromised networks.

5. They extract sensitive data and exfiltrate it covertly using public services.

6. And finally, they encrypt files, leaving no easy recovery options.

All signs point to a highly organized operation, likely carried out by actors with prior experience in other ransomware campaigns. One thing is clear: traditional defense is no longer enough.

What Can Your Company Do?

Against such advanced threats, it’s critical to adopt a proactive, multilayered security approach. Some key recommendations:

1. Ensure you have updated, offline backups.

2. Implement a threat detection system that monitors behavior—not just known signatures.

3. Limit admin privileges and segment your network to reduce lateral movement.

4. Monitor outbound traffic to cloud services, even legitimate ones like Google Drive.

5. And most importantly, keep your IT team trained and up-to-date on the latest attack techniques.

Additionally, having a Security Operations Center (SOC) like the one at TecnetOne can make all the difference. Our SOC integrates cutting-edge technologies such as:

1. XDR (Extended Detection and Response) for unified visibility across endpoints, networks, and systems.

2. SIEM (Security Information and Event Management) to centralize and correlate security events in real time.

3. XTI (Extended Threat Intelligence) to proactively anticipate attacks with contextualized, actionable intelligence.

With these capabilities, TecnetOne’s SOC not only detects threats faster but also responds effectively—before they escalate into critical incidents. It's an essential layer of protection for any organization that wants to stay one step ahead of attacks like those from Crypto24.