Overview
Crypto24 is an emerging ransomware group first observed in early 2024, known for combining data theft with encryption-based extortion. With a low-profile and precise approach, Crypto24 targets small to mid-sized enterprises across retail, logistics, legal, and financial sectors—especially in Europe and the UK. Its operations involve customized ransomware, TOR-based negotiation portals, and strong anti-forensic routines.
Known Aliases
Crypto24 (no alternate names or affiliate branding reported)
Country of Origin
Unattributed; however, multilingual infrastructure suggests possible Eastern European affiliations.
Notable Attacks / Victims of Crypto24 Ransomware
- Tan Chong Motor Holdings (Malaysia) – Automotive conglomerate targeted, resulting in ~300 GB of customer, legal, HR, financial, and partner data exfiltration and public leak.
- TransCore ITS, LLC (USA/UAE) – Transportation tech provider breached with over 200 GB of source code, financial records, and customer data leaked from its UAE operations.
- N8XT PTE. Ltd. (Singapore) – Business development firm suffered a three terabytesdata exfiltration and likely encryption; announced via TOR-hosted leak site.
- Elite Advanced Laser Corporation (Elaser, May 2025) – Laser tech firm attacked, with critical systems encrypted and proprietary data compromised.
- “Sou” Organization (July 17, 2025) – Organization threatened with data leak unless negotiations commenced.
MITRE ATT&CK Tactics & Techniques Used by Crypto24 Ransomware
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Phishing with Office macros or PDFs, Remote portal abuse | T1566.001, T1133 |
| Execution | Custom batch services (WinMainSvc, MSRuntime), scheduled tasks | — |
| Persistence | Account creation, Windows services | — |
| Defense Evasion | Custom EDR evasion tool (RealBlindingEDR), uninstaller use | — |
| Credential Access | Keylogging via WinMainSvc.dll | — |
| Discovery & Exfiltration | Custom reconnaissance utilities, exfiltration via Google Drive | T1041 |
| Impact | Encryption with .crypto24, Shadow Copy Deletion | T1486 |
Malware Strains & Tools Used by Crypto24 Ransomware
- Ransomware payload that appends the
.crypto24extension and drops ransom notes such asreadme.txtorDecryption.txt. (See: Cyclonis) - Utilizes a custom EDR disabling tool (RealBlindingEDR variant) and uninstalls Trend Vision One via
XBCUninstaller.exe. - Deploys keylogger (
WinMainSvc.dll), loader (MSRuntime), and exfiltrates data to Google Drive via WinINet API. - Uses administrative tools and services (PsExec, AnyDesk, scheduled tasks) to maintain persistence and movement.
(Source: Trend Micro)
Crypto24 Ransomware’s Common Infiltration Methods
- Phishing-laced attachments or PDFs delivered via email.
- Compromised remote access services lacking strong MFA.
- Deployment of custom persistence mechanisms including services and scheduled tasks.
- Blending living-off-the-land tools with proprietary malware for stealth.
- Targeted exfiltration strategies using legitimate API connections to cloud services.
- Aggressive encryption and backup disruption strategies post-access.
Business Model & Infrastructure of Crypto24 Ransomware
- Operates as a Ransomware as a Service (RaaS), onboarding affiliates for execution in return for profit share.
(Source: Cyfirma Weekly Report, July 2025) - Maintains TOR-based negotiation portals and leaks victim data after short extortion deadlines.
- Demonstrates speed and precision, often completing data exfiltration and encryption within hours.
Summary & Recommendations
Crypto24 represents a rising ransomware threat adept at swift double-extortion campaigns, especially against mid-size firms in Asia, Europe, and the U.S. Its use of stealth tools, custom ransomware binary, and cloud-based exfiltration platforms underscores the importance of:
- Segmented networks and strict remote access controls (with MFA and logging).
- Behavioral detection rules for unusual service creation, scheduled tasks, or Google Drive exfiltration.
- Immutable offline backups and rapid incident response protocols.
