Crypto24 ransomware hits large orgs with custom EDR evasion tool – Against Invaders – Notícias de CyberSecurity para humanos.

The Crypto24 ransomware group has been usingcustom utilities to evade security solutions on breached networks,exfiltrate data, and encrypt files.

The threat group’searliest activity was reported on BleepingComputer forums in September 2024, though it never reached notable levels of notoriety.

According to Trend Micro researchers tracking Crypto24’s operations, the hackers havehit several large organizations in the United States, Europe, and Asia, focusing on high-value targets in the finance, manufacturing, entertainment, and tech sectors.

The security researchers report that Crypto24 appears to be knowledgeable and well-versed, suggesting a high likelihood that it was formed by former core members of now-defunct ransomware operations.

Post-compromise activity

After gaining initial access, Crypto24 hackers activate default administrative accounts on Windows systems within enterprise environmentsor create new local user accounts for stealthy, persistent access.

Following a reconnaissance phase using a custom batch file and commands that enumerate accounts, profile system hardware, and the disk layout, the attackercreatesmalicious Windows services and scheduled tasks for persistence.

The first is WinMainSvc, a keylogger service, and the second is MSRuntime, a ransomware loader.

Command and processes to escalate privileges Trend Micro researchers say.

“The file in question is a legitimate tool provided by Trend Micro for troubleshooting, specifically to resolve issues such as fixing inconsistent agents within Trend Vision One deployments.”

“Its intended use is to cleanly uninstall Endpoint BaseCamp when required for maintenance or support.”

This tool essentially prevents the detection of follow-on payloads like the keylogger (WinMainSvc.dll) and the ransomware (MSRuntime.dll), both custom tools.

The keylogger, which masquerades as “Microsoft Help Manager,” logs both active window titles and keypresses, including control keys (Ctrl, Alt, Shift, function keys).

The attackers also use SMB shares for lateral movement and staging files for extraction.

All stolen data is exfiltrated to Google Drive using a custom tool that leverages the WinINET API to interact with Google’s service.

The ransomware payload executes after deleting volume shadow copies on Windows systems to prevent easy recovery.

Overview of Crypto24 attacks indicators of compromise that other defenders can use to detect and block Crypto24 ransomware attacks before they reach the ultimate stages.

Bill Toulas

Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

azaeo.com – datalake

File fishes formats available in:

Texto JSON JSON-LD XML HTML HTML Source PDF Markdown

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology: “LLMs” is the correct English acronym for Large Language Models.