Ethical Hacking News
Cryptocurrency ransomware group uses custom endpoint detection evasion tool to evade security solutions, exfiltrate data and encrypt files. The attackers have developed a sophisticated tool that enables them to bypass even the most advanced EDR solutions, making it difficult for defenders to detect and respond to attacks in a timely manner.
In recent months, Crypto24 has been targeting large organizations in the US, Europe, and Asia, focusing on high-value targets in the finance, manufacturing, entertainment, and tech sectors. The group's tactics and techniques are a significant threat to enterprise security, and it's essential that defenders take proactive steps to protect themselves against advanced ransomware threats like Crypto24.
Stay up-to-date with the latest cybersecurity news and trends by following us on social media. Don't miss our upcoming report on password cracking and data exfiltration trends, featuring exclusive insights into the latest threat actors and their tactics.
Crypto24 ransomware has been using custom utilities to evade security solutions and exfiltrate data. The group's use of a custom EDR evasion tool, RealBlindingEDR, targets multiple vendors' security agents. Crypto24 can "blind" detection engines and bypass EDR solutions, making it difficult for defenders to detect attacks. The group uses SMB shares for lateral movement and staging files for extraction. All stolen data is exfiltrated to Google Drive using a custom tool that leverages the WinINET API. Crypto24's ransomware payload deletes volume shadow copies on Windows systems, making data recovery difficult.
Crypto24 ransomware has been making waves in the cybersecurity world, and its latest move is a significant threat to enterprise security. According to recent reports from Trend Micro researchers, Crypto24 has been utilizing custom utilities to evade security solutions on breached networks, exfiltrate data, and encrypt files.
The Crypto24 ransomware group's earliest activity was reported on BleepingComputer forums in September 2024, although it never reached notable levels of notoriety. However, since then, the threat group has continued to evolve and improve its tactics, leaving a trail of compromised networks and stolen data in its wake.
One of the most concerning aspects of Crypto24's attacks is its use of custom EDR (Endpoint Detection and Response) evasion tools. This means that even some of the most advanced security solutions are not immune to the group's tactics. The attackers have developed a custom variant of the open-source tool RealBlindingEDR, which targets security agents from multiple vendors by disabling their kernel drivers.
This allows Crypto24 to "blind" detection engines and bypass EDR solutions, making it difficult for defenders to detect and respond to the attacks in a timely manner. The group's use of this custom EDR evasion tool is just one example of its sophisticated tactics and techniques.
In addition to its use of EDR evasion tools, Crypto24 also employs other tactics to evade detection and encryption files using SMB shares for lateral movement and staging files for extraction. All stolen data is then exfiltrated to Google Drive using a custom tool that leverages the WinINET API to interact with Google's service.
The group's ransomware payload executes after deleting volume shadow copies on Windows systems, making it even more difficult for defenders to recover data in a timely manner. The attackers also use SMB shares for lateral movement and staging files for extraction.
Trend Micro researchers have reported that Crypto24 appears to be knowledgeable and well-versed, suggesting a high likelihood that the group was formed by former core members of now-defunct ransomware operations. This level of expertise makes it even more challenging for defenders to counter their tactics.
In conclusion, Crypto24's custom EDR evasion tool is just one example of its sophisticated tactics and techniques. The group's use of this tool, combined with other methods such as SMB shares and lateral movement, makes it difficult for defenders to detect and respond to attacks in a timely manner. As the threat landscape continues to evolve, it's essential that enterprises take proactive steps to protect themselves against advanced ransomware threats like Crypto24.
Related Information:
https://www.ethicalhackingnews.com/articles/Crypto24-Ransomwares-Custom-EDR-Evasion-Tool-A-Threat-to-Enterprise-Security-ehn.shtml
https://www.bleepingcomputer.com/news/security/crypto24-ransomware-hits-large-orgs-with-custom-edr-evasion-tool/
Published: Thu Aug 14 13:40:04 2025 by llama3.2 3B Q4_K_M
