Top Highlights
- Crypto24 is a sophisticated ransomware group that employs legitimate tools, custom malware, and advanced evasion techniques to stealthily infiltrate and attack organizations across Asia, Europe, and the U.S., primarily targeting large enterprises in finance, manufacturing, and tech sectors.
- The group demonstrates high operational maturity by reactivating default admin accounts, creating multiple privileged user accounts, and deploying custom tools like RealBlindingEDR to disable security defenses, highlighting their ability to bypass modern security controls.
- Crypto24 leverages a multi-layered attack arsenal—including keyloggers, backdoors, and Google Drive exfiltration—to conduct data theft, long-term surveillance, and persistent access, often launching off-peak, targeted operations to maximize impact.
- To defend against such threats, organizations must implement rigorous security practices like regular privileged account audits, endpoint monitoring, quick incident response, and adopting a zero-trust framework to mitigate evolving, highly adaptive ransomware tactics.
Problem Explained
Trend Micro has identified a highly sophisticated ransomware group named Crypto24, which uses a blend of legitimate tools and custom malware to carry out stealthy cyberattacks on large organizations across Asia, Europe, and the U.S., especially targeting sectors like finance, manufacturing, entertainment, and technology. This threat group operates with a high degree of coordination, executing attacks during off-peak hours to avoid detection, while deploying advanced evasion strategies such as customized versions of security-disabling tools like RealBlindingEDR and exploiting vulnerabilities in drivers. They also use a variety of techniques—such as creating multiple privileged accounts, reactivating default admin profiles, and installing malware as services—to maintain persistent access, exfiltrate data covertly via Google Drive, and extend their presence before deploying ransomware payloads, often thwarted initially by security measures but later successfully executed after bypassing defenses.
The report, authored by cybersecurity analyst Anna Ribeiro, highlights how Crypto24’s operations reflect a dangerous evolution in ransomware tactics, demonstrating deep technical expertise and deliberate planning to outmaneuver modern security controls. The group’s ability to quietly monitor and manipulate enterprise environments underscores the urgent need for organizations to adopt proactive, layered defenses—regular account audits, strict control over remote access tools, continuous EDR monitoring, and robust backup strategies. As threat actors continue studying and exploiting systemic vulnerabilities, the report emphasizes that swift incident response and adaptive cybersecurity strategies are essential to thwart such advanced, persistent attacks.
Critical Concerns
Trend Micro’s investigation into the Crypto24 ransomware group reveals a highly sophisticated threat actor that combines legitimate IT tools, such as PsExec, AnyDesk, and GPO commands, with custom malware and advanced evasion techniques to successfully infiltrate, persist, and exfiltrate data from high-value organizations across Asia, Europe, and the U.S. In their operations, Crypto24 employs tactics like reactivating default administrator accounts, creating multiple privileged user profiles, and deploying custom tools like RealBlindingEDR to disable modern security defenses—highlighting a deep understanding of enterprise security stacks. Their methods include stealthy lateral movement, persistent remote access, and multi-layered payloads that can bypass EDRs and other protections, often executing attacks during off-peak hours to maximize impact. Such operations not only threaten data confidentiality and operational continuity but also expose organizations to long-term surveillance, credential theft, and financial loss, emphasizing the urgent need for rigorous security practices: strict privileged account management, routine security audits, robust endpoint detection, multi-factor authentication, and a proactive incident response strategy. As threat actors continue to evolve with highly tailored and adaptive tactics, organizations must adopt a layered, vigilant approach to cybersecurity, reinforcing defenses against increasingly capable adversaries who possess the technical expertise to neutralize conventional tools and exploit vulnerabilities within their security infrastructure.
Possible Remediation Steps
Prompt response is crucial when facing threats like Crypto24 ransomware, which cleverly combines genuine tools with custom malware to target manufacturing and other sectors. Quick action can prevent widespread damage and protect critical assets.
Detection and Identification
Rapidly recognize the infection through monitoring unusual activity or system anomalies. Employ advanced malware detection tools to identify signs of Crypto24 presence.
Isolation and Containment
Immediately disconnect affected systems from the network to prevent malware spread. Isolate infected devices to contain the threat while preserving evidence for analysis.
Data Backup and Recovery
Ensure recent, secure backups are available. Use these backups to restore systems after malware removal, minimizing data loss and operational downtime.
Malware Removal
Utilize specialized antivirus and anti-malware solutions to thoroughly eliminate Crypto24. For complex infections, consider consulting cybersecurity professionals for tailored removal techniques.
Patch and Update
Implement the latest security patches and updates on all systems to close vulnerabilities exploited by the malware, reducing the chance of reinfection.
Incident Analysis
Conduct a detailed forensic investigation to understand the attack vector and scope. Use findings to improve defenses and prevent future incidents.
Communication and Reporting
Notify relevant stakeholders, including regulatory bodies if necessary, and communicate transparently about the breach and remediation measures.
Long-Term Security Enhancement
Review and strengthen cybersecurity policies, deploy advanced threat detection systems, and train staff to recognize and respond to future threats promptly.
Continue Your Cyber Journey
Stay informed on the latest Threat Intelligence and Cyberattacks.
Understand foundational security frameworks via NIST CSF on Wikipedia.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
