Crypto24 Ransomware Group Deploys Stealthy Multi-Stage Attacks

Security researchers at Trend Micro recently uncovered a sophisticated ransomware operation deploying a variant tracked as Crypto24. The group executes highly coordinated, multi-stage attacks that blend legitimate system administration tools with custom malware to evade detection systems and compromise high-value targets worldwide.

Trend Micro discovered Crypto24 primarily targets large organizations in the United States, Europe, and Asia. Its victims span critical sectors such as financial services, manufacturing, entertainment, and technology. The group operates with alarming precision, frequently launching attacks during off-peak hours to minimize interference and detection.

Trend Micro's analysis reveals that Crypto24 initiates its attacks with a blend of widely used IT tools, such as:

• PSExec is used to execute commands on remote systems.
• AnyDesk is leveraged for persistent, remote access.
• Google Drive was repurposed and abused to stealthily extract stolen data.

During the initial breach, attackers often use net.exe to activate default or create new privileged user accounts, then employ runas.exe and PSExec64.exe to execute actions under elevated privileges. They gather system and user information via scripts, then use Windows Scheduled Tasks and services to embed persistence.

Crypto24 exemplifies "living-off-the-land" tactics by abusing pre-installed utilities to stay under the radar. In one instance, attackers misused a Microsoft Group Policy tool (gpscript.exe) to launch a legitimate troubleshooting utility (XBCUninstaller.exe) from Trend Micro; this tool normally helps resolve agent inconsistencies. The attackers could employ it only after gaining administrator rights to remove endpoint protection.

In parallel, they use a custom-built variant of RealBlindingEDR to disable security solutions. This tool targets kernel-level components across various vendors, including Trend Micro, Microsoft, Symantec, Kaspersky, and Fortinet, disabling endpoint detection and response (EDR) systems. Analysts describe these methods as a dangerous escalation in ransomware tactics. More details on the use of RealBindingEDR can be found below.

To monitor and harvest credentials, Crypto24 deploys a keylogger, typically named WinMainSvc.dll, which runs only under svchost.exe to avoid sandbox detection. The malware captures keystrokes and active window titles and uploads the data to Google Drive. Before uploading full datasets, it verifies access by sending a simple "Test.txt" file containing "Test."

Once it completes reconnaissance and disables security controls, the group launches the final payload, often a ransomware component such as MSRuntime.dll. This payload encrypts files and leaves behind ransom demand instructions. In some cases, initial execution fails due to detection by Trend Micro; the group then returns to disable EDR systems before re-launching the payload.

Crypto24 emerged publicly around September 2024 but remained largely under the radar until now. Given their technical depth and adaptability, experts believe its members likely hail from previous, well-known ransomware collectives. Trend Micro characterizes Crypto24's operations as mature and meticulously coordinated. The group understands enterprise defenses and exploits that understanding to bypass protections effectively.

EDR Evasion Through RealBlindingEDR

One of the most striking elements of Crypto24's campaign is its deployment of a custom-built tool designed to neutralize endpoint detection and response (EDR) systems. Known as RealBlindingEDR, this utility enables the attackers to directly interfere with kernel-level components of security products.

Unlike ordinary malware that attempts to avoid triggering alarms, RealBlindingEDR takes an aggressive approach by targeting and shutting down the very mechanisms intended to detect malicious activity. This includes many vendors, including Microsoft, Trend Micro, Symantec, Kaspersky, and Fortinet, demonstrating that the attackers studied multiple platforms in depth before building their toolkit.

RealBlindingEDR represents a significant escalation in ransomware operations. By disabling monitoring and response features at such a fundamental level, Crypto24 ensures that defenders remain blind during critical phases of the intrusion. This tactic grants attackers time to conduct reconnaissance, deploy keyloggers, move laterally across networks, and eventually execute their ransomware payloads without raising immediate alarms.

Analysts emphasize that this method is particularly dangerous because it undermines incident detection and can delay forensic investigations, making it harder for organizations to trace what happened after an attack.

Security experts see this tool as part of a broader trend: ransomware groups are no longer satisfied with simply encrypting data and demanding payment. Instead, they are developing specialized software to dismantle security ecosystems from the inside.

In Crypto24's case, the RealBlindingEDR utility illustrates a level of maturity more commonly associated with nation-state actors. The group's ability to adapt legitimate security concepts, such as kernel driver manipulation, for malicious purposes shows that ransomware collectives are closing the gap between criminal and state-sponsored techniques.

Trend Micro recommends a layered security approach to defend against such advanced threats. Key strategies include:

• Use reputable antivirus solutions with tamper protection.
• Maintaining real-time protection and active firewalls.
• Employing dedicated anti-malware tools that operate in tandem with standard antivirus offerings.

While Trend Micro notes that its platform can detect Crypto24's Indicators of Compromise (IOCs), the broader security community must recognize that attackers are now weaponizing legitimate tools and exploiting deep knowledge of defenses. Defenders must now adapt similarly to mitigate the threat posed by skilled intruders.