The Crypto24 ransomware group custom utilities are using the safety solutions on the network, exfiltrate data and encrypt files.
In September 2024, the oldest activity of the threat group was reported on the bleepingcomputer forums, although it never reached a remarkable level of infamous.
According to the trend micro researchers, monitoring the operation of Crypto 24, hackers have killed several large organizations in the United States, Europe and Asia, focusing on high-value goals in finance, manufacturing, entertainment, and technical fields.
Security researchers report that Crypto24 seems to be knowledgeable and well aware, suggests a high probability that it was now formed by former core members of the dift ransomware operations.
Sect activity
After achieving the initial access, the Crypto24 hackers activate the default administrative accounts on the Windows system within the enterprise environment or create new local user accounts for constant access.
After the reconnaissance phase using a custom batch file and the commands calculating the accounts, profile systems and disk layouts, the attacker makes the attacker malicious Windows services and determined tasks for firmness.
The first is Winmainsvc, a keylogger service, and the second is msruntime, a rangesware loader.
Source: Trend Micro
Subsequently, Crypto24 operators use a custom version of the Open-SOS tool Realindinger, which disables their kernel drivers and targets safety agents from many sellers:
- trend Micro
- Kaspersky
- Sophos
- Champion
- Malwarebytes
- Sannette
- Mcafee
- Bitdefender
- Broadcom (Cementac)
- Cisco
- Foretnet
- Acronis
Custom of Crypto24 removes the company’s name from the metadata of the rilbalindingdraad driver, compares it to a hardcoded list, and if there is a match, it neutralizes the kernel-level hook/callback to the “blind” detection engines.
Trends, especially about micro products, mentioned that, if the attacker has administrator privileges, they run a batch script that invites the valid ‘Xbcuninstaller.exe’ to uninstall the trend vision.
“We observed cases where the attackers executed the trend vision through an uninstallor, xbcuninstaller.exe, gpscript.exe,” Trend Micro researchers say,
“The file under consideration is a valid tool provided for troubleshooting by the Trend Micro, especially to solve issues such as fixing incompatible agents within trend vision one need.”
“Its intended use is to clean the endpoint basecamp when necessary for maintenance or support.”
This device essentially prevents the detection of follow-on payloads such as winmainsvc.dll and ransomware (msruntime.dll), both custom tools.
Keylogger, which displays as “Microsoft Help Manager”, logs both active window titles and keypresses, including the control keys (Ctrl, alt, shift, functioning keys).
Attackers use SMB shares for lateral movements and staging files for extraction.
All stolen data has been exflanting for Google Drive using a custom tool taking advantage of Wininet API to interact with Google service.
The ransomware payload executes the volume shade copies on the Windows system to prevent easy recovery.
Source: Trend Micro
The trend does not provide any details about the ransomware part of the micro attack, such as encryption scheme, ransom notes, communication methods, target file paths, language or branding clues.
Cyber security company shared a list at the end of the report Compromise indicators Other defenders can use Crypto 24 ranges and blocks before reaching the final stages.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
