Trend Micro has uncovered a new ransomware group, Crypto24, which blends legitimate tools with custom-built malware to carry out stealth attacks. The group relies on advanced evasion techniques to slip past security controls and endpoint detection and response (EDR) systems, using purpose-built bypass tools and manipulating security solutions to avoid detection.
Beyond ransomware deployment, Crypto24 engages in data theft and long-term surveillance, leveraging keyloggers, Google Drive exfiltration, and persistent remote access. According to Trend Micro, the group has targeted organizations in Asia, Europe, and the U.S., with financial services, manufacturing, entertainment, and technology among its primary sectors of focus.
Trend Micro’s analysis reveals that the threat actor operates with a high level of coordination, frequently launching attacks during off-peak hours to evade detection and maximize impact, researchers detailed in a post. “Crypto24 has been targeting high-profile entities within large corporations and enterprise-level organizations. The scale and sophistication of recent attacks indicate a deliberate focus on organizations possessing substantial operational and financial assets. The group has concentrated its efforts on organizations in Asia, Europe, and the USA, with targets spanning the financial services, manufacturing, entertainment, and technology sectors.”
The ransomware group employs a diverse and sophisticated toolkit with its arsenal including PSExec for lateral movement, AnyDesk for persistent remote access, keyloggers for credential harvesting, various backdoor malware, and Google Drive for stealthy data exfiltration. The threat actors also exhibit advanced evasion techniques, such as deploying a customized version of RealBlindingEDR and abusing gpscript[sot]exe.
“We observed cases where attackers executed the Trend Vision One uninstaller, XBCUninstaller.exe, via gpscript.exe,” the researchers disclosed. “The file in question is a legitimate tool provided by Trend Micro for troubleshooting, specifically to resolve issues such as fixing inconsistent agents within Trend Vision One deployments. Its intended use is to cleanly uninstall Endpoint BaseCamp when required for maintenance or support.”
Trend Micro assesses that the Crypto24 campaign represents a dangerous evolution in ransomware operations. Unlike more conventional groups, the threat actor demonstrates a high level of operational maturity, combining legitimate tools alongside custom malware, which allows them to blend in with normal IT operations while executing precision attacks during off-peak hours. This multi-layered approach extends beyond encryption to include keyloggers for credential harvesting and Google Drive for data exfiltration, creating persistent exposure risks that outlast the initial infection.
More importantly, the post highlighted “Crypto24’s successful deployment of a customized RealBlindingEDR (an open-source tool for disabling security solutions) variant that neutralized our security controls shows their capability to maneuver around modern defenses. The threat actor’s customized version employs advanced evasion, likely via unknown vulnerable drivers, showcasing deep technical expertise and ongoing tool refinement. The group’s ability to maintain persistence before encryption reflects patience and strategic planning uncommon in commodity ransomware.”
The researchers noted that beyond being another regular ransomware campaign, “Crypto24 attacks demonstrate that threat actors have studied our security stacks, identified systematic weaknesses, and built purpose-designed tools to exploit them. Organizations using similar defenses should consider themselves at immediate risk, making it essential to understand Crypto24’s methodology to adapt our defensive strategies against adversaries who have already proven capable of defeating them.”
As part of its attack routine, the researchers said that the hacker reactivated default administrative accounts and created multiple new user accounts, often with common or generic names to avoid drawing attention. These accounts were then added to privileged groups, such as administrators, to preserve persistent elevated access. By using standard Windows net[dot]exe commands, the attacker created and modified accounts, reset passwords, and re-enabled previously disabled profiles. This approach provided multiple entry points into compromised systems while making detection more difficult during routine security audits.
The post noted that “In a major escalation, the threat actor installed MSRuntime.dll as a service, intending it to act as the ransomware payload. Initial execution attempts failed, as Trend solutions detected and immediately terminated the ransomware’s behavior. After several hours, the threat actor deployed an uninstaller for EDR solutions via Group Policy Object (GPO), followed by a subsequent successful execution of the ransomware payload.”
“Crypto24 has been targeting high-profile entities within large corporations and enterprise-level organizations,” it added. “The scale and sophistication of recent attacks indicate a deliberate focus on organizations possessing substantial operational and financial assets. The group has focused its efforts on organizations in Asia, Europe, and the USA. Meanwhile, its targets include companies in the financial services, manufacturing, entertainment, and technology sectors.”
The researchers identified that a threat actor using a customized anti-EDR tool such as RealBlindingEDR, potentially exploiting new or unknown vulnerable drivers, could target several endpoints; however, the success of such an attack would depend on the strength and completeness of the security controls implemented on each endpoint.
“While behavioral solutions and pattern detections may effectively block the attack, endpoints with weaker security configurations or disabled protections could remain susceptible,” they added. “In such cases, an attacker could gain access and perform actions such as uninstalling security solutions via administrative scripts and remote desktop with elevated privileges. Enabling agent self-protection on Windows prevents local users from tampering with or removing Trend’s agent.”
In conclusion, Trend Micro said that the Crypto24 ransomware campaign highlights the escalating operational sophistication and adaptability of modern threat actors. By leveraging a strategic combination of legitimate IT tools, including PsExec, AnyDesk, and Group Policy utilities, alongside Living Off the Land Binaries (LOLBins), custom malware, and advanced evasion techniques, the operators successfully gain initial access, execute lateral movement, and establish persistent footholds within targeted environments.
“Our analysis reveals that Crypto24’s operators are fully capable of identifying and targeting security-specific controls, including EDR solutions, and employing purpose-built tools to bypass defenses,” according to the researchers. “The attackers demonstrate a clear understanding of enterprise defense stacks and an ability to circumvent them. Crypto24 serves as a warning that modern ransomware groups are highly adaptive, blending in with normal IT operations while deploying attacks.”
As threat actors continue to study and maneuver around existing defenses, defenders need to remain agile and continually evaluate, update, and reinforce their cybersecurity posture.
Rapid incident response remains a critical part of an organization’s security posture. When threat actors are able to maintain a presence within a network over an extended period, they can map the environment, compile custom ransomware binaries, and conduct extensive data exfiltration before executing a final attack. Proactive detection, timely investigation, and swift remediation are essential to disrupting such activities and minimizing potential impact.
Organizations can strengthen their defenses against advanced, multi-layered attacks such as those employed by Crypto24 by adopting several key practices. They should regularly audit and restrict the creation and use of privileged accounts, while disabling unused default administrative accounts. Remote Desktop Protocol and remote tools such as PsExec or AnyDesk should be limited to authorized systems only, with multifactor authentication enabled and firewall configurations reviewed on a routine basis.
It is critical to detect and investigate unusual uses of built-in Windows utilities and third-party remote access tools that could indicate lateral movement. Security teams should also ensure that endpoint detection and response solutions remain up to date and continuously monitored to prevent uninstallation or bypass attempts. Scheduled tasks and service creations should be inspected for unauthorized or suspicious activity, while monitoring should be extended to unauthorized changes to system files and unusual outbound traffic, including exfiltration to cloud storage.
Maintaining regular offline backups and verifying restoration processes helps ensure resilience in the event of an attack. All systems, particularly those with administrative access, should be covered by security agents and actively monitored. Organizations should also adopt a zero trust framework that follows the principle of ‘never trust, always verify.’ Finally, regular training on phishing and credential risks, along with an effective incident response strategy, is essential to minimizing exposure and improving recovery capabilities.
