The Crypto24 ransomware group is a highly sophisticated ransomware campaign that combines legitimate IT tools with custom malware to infiltrate, persist and evade detection within large enterprises. Leveraging built-in Windows tools such as net.exe, runas.exe, PSExec, and WMIC, the attackers perform privilege escalation, reconnaissance and persistence activities, while using a modified EDR-disabling tool and Group Policy to remove security protections. To ensure long-term access, they abuse scheduled tasks, custom services, and keyloggers that covertly exfiltrate data via Google Drive. For lateral movement, Crypto24 relies on RDP and network scanning utilities. The group primarily targets organizations in the financial, manufacturing, entertainment and technology sectors across the U.S., Europe and Asia.

‍

Technical Description

The Crypto24 ransomware campaign showcases the rising sophistication of cybercrime, with tactics resembling those of state-backed actors. Unlike typical “smash-and-grab” ransomware groups, Crypto24 executes stealthy, multi-stage attacks that blend into normal operations and often unfold during off-peak hours to evade detection. Their strategy focuses on high-value organizations with significant financial and operational assets. Targeted industries span finance, manufacturing, entertainment and technology across Asia, Europe and the U.S. This calculated approach maximizes disruption and pressure, increasing the likelihood of ransom payments

The toolkit is sophisticated and versatile, combining legitimate administrative utilities with custom malware to maximize its effectiveness. Tools like PSExec are leveraged for lateral movement, while AnyDesk ensures persistent remote access within compromised networks. Alongside these, the group deploys malicious backdoors, credential-stealing keyloggers and custom scripts designed to exfiltrate data stealthily via cloud services such as Google Drive

‍

Discovery:

The Crypto24 ransomware group relies on a combination of living-off-the-land techniques and custom malware to gain and maintain control over enterprise systems. They reactivate default administrative accounts, create new generic user profiles and assign them to privileged groups to ensure persistent elevated access. Using built-in Windows tools such as net.exe, runas.exe, PsExec, and WMIC, they perform account creation, privilege escalation and system reconnaissance while blending into normal administrative activity to avoid detection.

‍

Persistence & Privilege Escalation:

To maintain persistence, the attackers deploy scheduled tasks and malicious services disguised as legitimate Windows processes. They create services for a keylogger (WinMainSvc.dll) and the ransomware payload (MSRuntime.dll) while planting batch files in system directories to reload malicious components periodically. Reconnaissance efforts involve gathering system information, mapping user accounts and assessing privilege levels, which enables them to identify high-value targets and plan subsequent movements across the network.

Defense Evasion & Lateral Movement:

Defense evasion plays a critical role in Crypto24’s operations. The group employs a customized version of RealBlinding EDR to disable security protections by targeting callbacks from nearly 30 well-known antivirus and EDR vendors. They also leverage administrative privileges to uninstall security agents remotely, ensuring their tools and payloads can operate undetected. With defenses weakened, the attackers expand laterally using Remote Desktop Protocol, patched system libraries, and additional remote administration tools such as TightVNC, reinforcing their control over compromised environments.

‍

Ransomware Deployment & Impact:

Once their foothold is secured, the attackers escalate activity by deploying a keylogger to capture credentials and exfiltrate them stealthily via Google Drive. Finally, they launch the ransomware payload, which encrypts files and drops ransom notes after disabling endpoint protection. Crypto24’s campaigns are carefully staged and executed, targeting large enterprises across financial, manufacturing, entertainment and technology sectors in Asia, Europe and the United States. Their approach reflects a deliberate, sophisticated strategy designed to maximize disruption and increase ransom payment leverage.

‍

Conclusion:

The Crypto24 ransomware group demonstrates a highly sophisticated and methodical approach, blending legitimate tools with custom malware to maintain stealth and persistence. Their operations target high-value enterprises, enabling lateral movement, credential theft and data exfiltration before deploying ransomware. By carefully disabling security defenses and exploiting system privileges, they maximize disruption and ransom potential. This campaign underscores the evolving threat landscape and the importance of vigilance against advanced, persistent attackers.

Impact

The impact of Crypto24 on organizations can be significant, including extensive data theft, financial losses and prolonged operational disruptions from encrypted systems. Their sustained surveillance and data exfiltration heighten the risk of sensitive information exposure, regulatory penalties and reputational damage. Moreover, their ability to bypass advanced security defenses exposes vulnerabilities, leaving enterprises susceptible to repeated or follow-up attacks.

‍

IOC and Context Details

Recommended Actions

• Apply Software Updates: Use the Cisco Software Checker to identify and install free fixed releases for ASA, FTD, and FMC, ensuring compatibility with your devices.
• Enforce Strong Identity and Access Controls: Regularly audit privileged accounts, disable unused default administrative accounts, require multi-factor authentication, and monitor for unusual account creation or privilege escalation.
• Harden Endpoint and Security Agent Protection: Ensure EDR, antivirus, and other security solutions are up-to-date, continuously monitored, and protected with self-protection to prevent tampering or uninstallation.
• Monitor for Abnormal Administrative Tool Usage: Audit the use of built-in Windows utilities and third-party remote access tools (e.g., PSExec, runas, sc.exe, AnyDesk) to detect signs of lateral movement, especially during off-hours.
• Enhance Detection, Logging, and Threat Hunting: Implement centralized logging and real-time monitoring for new scheduled tasks, service creations, RDP enablement, system file changes, and unusual outbound traffic. Focus on persistence and defense evasion indicators.
• Secure Remote Access: Limit exposure of RDP and other remote tools to authorized systems only, enforce strong authentication, disable legacy protocols, patch vulnerabilities, and adopt a Zero Trust framework based on “never trust, always verify.”
• Maintain Backup and Recovery Readiness: Keep regular, encrypted, offline, or immutable backups, protect them from tampering, and routinely verify restoration processes to ensure business continuity in case of compromise.
• Conduct Threat Simulations: Perform regular red team or purple team exercises to evaluate the organization’s ability to detect and respond to lateral movement, privilege escalation, and data exfiltration. Use results to strengthen defenses and incident response plans.
• Prepare for Rapid Incident Response: Establish clear procedures, escalation paths, and user training for phishing and credential risks to enable fast containment, investigation, and remediation of any detected compromise.

‍

References

https://www.trendmicro.com/en_ae/research/25/h/crypto24-ransomware-stealth-attacks.html

‍