Crypto24 ransomware is back in the headlines for all the technical reasons defenders dread. Researchers say the Crypto24 ransomware group is striking large enterprises across the United States, Europe, and Asia. The operations focus on finance, manufacturing, entertainment, and technology. Early sightings date to September 2024, and while the brand stayed low-key, its tradecraft did not. The team looks seasoned, with tooling and workflows that suggest former members of shuttered ransomware crews.
How Crypto24 Ransomware Gains And Maintains Access
Intrusions begin with access to Windows enterprise environments. Once inside, operators activate default administrative accounts or create fresh local users. That gives them persistence that blends into normal admin activity.
They then run reconnaissance. A custom batch file and living-off-the-land commands enumerate domain accounts, system hardware, and disk layouts. Persistence is reinforced via two Windows services and scheduled tasks:
- WinMainSvc — a keylogger service
- MSRuntime — a ransomware loader
The keylogger pretends to be “Microsoft Help Manager.” It records active window titles, keystrokes, and control keys. The goal is simple: harvest credentials and watch what staff do in real time.
Custom EDR Blinding And Uninstaller Abuse
The standout feature is EDR evasion. Crypto24 deploys a customized version of the open-source RealBlindingEDR tool. It reads driver metadata, compares the vendor string against a hardcoded list, and, on a match, disables kernel-level hooks and callbacks. That “blinds” endpoint agents before the real damage starts.
Vendors targeted by this approach include Trend Micro, Kaspersky, Sophos, SentinelOne, Malwarebytes, Cynet, McAfee, Bitdefender, Broadcom (Symantec), Cisco, Fortinet, and Acronis.
For Trend Micro environments, the operators go a step further. With admin rights, they run a batch script that calls the legitimate XBCUninstaller.exe to remove Trend Vision One, even launching it via gpscript.exe to keep activity low-noise.
“We observed cases where attackers executed the Trend Vision One uninstaller, XBCUninstaller.exe, via gpscript.exe,” researchers note.
“Its intended use is to cleanly uninstall Endpoint BaseCamp when required for maintenance or support.”
With sensors blinded or uninstalled, the follow-on payloads—WinMainSvc.dll and MSRuntime.dll—slip in with far less scrutiny.
Data Theft, Lateral Movement, And File Encryption
Movement across the network leans on SMB shares. Operators stage tools and payloads over SMB and prepare packages for exfiltration. For data theft, Crypto24 ransomware favors a custom utility that uses the WinINET API to push archives to Google Drive. That hides in plain sight behind common corporate traffic patterns.
Before encryption, the malware deletes Windows volume shadow copies to block easy recovery. Trend Micro’s analysis did not include details on the encryption scheme, ransom notes, or communications channel. Branding cues and target file paths were also not disclosed. But the playbook—persistence, EDR blinding, credential capture, lateral movement, exfiltration, then encryption—tracks with modern, data-theft-first ransomware operations.
What Researchers Say About The Group And Scope
Trend Micro links Crypto24 ransomware to multiple successful intrusions at high-value enterprises. The operators look “knowledgeable and well-versed,” with behavior consistent with veterans of prior ransomware brands. The group prefers impact over publicity, and it mixes commodity tools with bespoke components to stay agile.
All told, defenders now have a clearer picture of how Crypto24 ransomware works inside a Windows domain, which tools it turns against enterprise EDR, and how it hides data theft in cloud traffic. Indicators of compromise were shared to help teams hunt for suspicious services, scheduled tasks, driver tampering, unusual uninstall activity, and outbound connections consistent with Google Drive exfiltration.
