Ransomware Actors Combine Legitimate Tools with Custom Malware to Evade Detection

Threat Score:
81
4 articles
100.0% similarity
7 hours ago

Article Timeline

4 articles
Click to navigate
Aug 14
Aug 14
Aug 14
Aug 14
Oldest
Latest

Key Insights

1
Crypto24 ransomware employs a custom version of RealBlindingEDR to disable endpoint detection systems, impacting major vendors like Sophos and Kaspersky - 'this tool can disable kernel-level hooks from a hardcoded list of 28 security vendors' [2].
2
The ransomware group has targeted at least two dozen organizations across the US, Europe, and Asia since April 2025, focusing on sectors such as financial services, manufacturing, and technology [3].
3
Operators utilize legitimate tools like PSExec and AnyDesk combined with bespoke malware, facilitating stealthy lateral movement and credential harvesting [1].
4
The attack chain begins with reconnaissance, where attackers execute scripts to gather system information and create malicious Windows services for persistence [3].
5
Crypto24’s tactics are indicative of a well-organized group with likely ties to former ransomware operations, as their methods reflect advanced knowledge of network exploitation [3].
6
The ransomware campaign uses multi-stage attacks that blend malicious activities with regular IT operations, complicating detection efforts [1][4].

Threat Overview

The Crypto24 ransomware group has emerged as a significant threat, employing advanced evasion techniques to target high-profile organizations across the United States, Europe, and Asia. Since April 2025, this group has executed coordinated, multi-stage attacks primarily against sectors including financial services, manufacturing, entertainment, and technology. According to Trend Micro researchers, the group leverages a custom version of the open-source tool RealBlindingEDR, designed to disable endpoint detection and response (EDR) software from major vendors like Sophos and Kaspersky. 'This tool can disable kernel-level hooks from a hardcoded list of 28 security vendors,' noted a cybersecurity expert [2]. The attackers typically operate during off-peak hours to minimize detection, utilizing legitimate tools such as PSExec for lateral movement and AnyDesk for remote access, while also employing keyloggers for credential harvesting [1].

Crypto24's activities began to be tracked in September 2024, although they didn't gain notable recognition until recently. Their sophisticated methods indicate that they may be composed of former members of now-defunct ransomware operations. After gaining initial access to target systems, the attackers activate default administrative accounts or create new local accounts for persistent access [3]. They execute reconnaissance using custom batch files to enumerate accounts and system hardware, subsequently creating malicious Windows services for ongoing access. The first service, WinMainSvc, functions as a keylogger, while the second, MSRuntime, serves as a ransomware loader [3].

The security community is responding to the rising threat of Crypto24 by reinforcing endpoint protection measures and enhancing monitoring protocols. 'Ransomware crews have increasingly disregarded endpoint security, having developed sophisticated tools that render traditional defenses ineffective,' remarked an industry analyst [2]. Security vendors are urged to update their systems and incorporate behavioral detection capabilities to identify and mitigate such advanced threats. As part of their response, organizations are advised to conduct regular security audits and implement strict access controls to minimize the risk of unauthorized access.

Moving forward, organizations are recommended to apply patches and updates promptly to all security solutions, ensuring they are equipped to defend against evolving ransomware threats. Specific guidance includes deploying the latest versions of security software that address known vulnerabilities, as well as enhancing employee training on recognizing phishing attempts and suspicious activities. 'Immediate action is crucial to protect against these emerging threats,' stated a cybersecurity official [3].

Tactics, Techniques & Procedures (TTPs)

T1566
Spearphishing Link - Attackers employ phishing campaigns to gain initial access to target networks [2].
T1190
Exploit Public-Facing Application - Attackers exploit vulnerabilities in public-facing applications to gain entry [1].
T1059.007
JavaScript/JScript - Ransomware uses scripts to automate tasks such as credential harvesting and lateral movement [1].
T1557
Adversary-in-the-Middle - Attackers utilize tools to intercept credentials during communication processes [2].
T1053
Scheduled Task/Job - Persistence is established through the creation of scheduled tasks that execute malicious scripts [3].
T1105
Ingress Tool Transfer - Post-compromise, attackers download additional tools to assist in their operations [3].
T1003
OS Credential Dumping - Attackers deploy tools to scrape credentials from memory, allowing them to escalate privileges [3].

Timeline of Events

2024-09
Initial reports of Crypto24's activities emerge in cybersecurity forums [3].
2025-04
Crypto24 begins executing ransomware attacks against organizations in the US, Europe, and Asia [2].
2025-08-14
Trend Micro publishes detailed analysis of Crypto24's tactics and tools [1][4].
2025-08-14
The Register highlights the use of RealBlindingEDR by Crypto24 to bypass EDR systems [2].
2025-08-14
BleepingComputer confirms the focus on high-value targets across several sectors [3].
Powered by ThreatCluster AI
Generated 1 hour ago
Recent Analysis
AI analysis may contain inaccuracies

Related Articles

4 articles
1

Ransomware Actors Combine Legitimate Tools with Custom Malware to Evade Detection

GB Hackers 7 hours ago

Ransomware Actors Combine Legitimate Tools with Custom Malware to Evade Detection Operators behind the Crypto24 strain are employing highly coordinated, multi-stage attacks that blend legitimate system tools with bespoke malware to infiltrate networks, maintain persistence, and evade endpoint detection and response (EDR) systems. According to detailed analysis from Trend Micro researchers, these adversaries target high-profile organizations across Asia, Europe, and the United States, with a part

Score
78
100.0% similarity
Read more
2
Ransomware crews don't care about your endpoint security – they've already killed it

Ransomware crews don't care about your endpoint security – they've already killed it

The Register Security 5 hours ago

Cyber-crime Ransomware crews don't care your endpoint security – they've already killed it Some custom malware, some legit software tools At least a dozen ransomware gangs have incorporated kernel-level EDR killers into their malware arsenal, allowing them to bypass almost every major endpoint security tool on the market, escalate privileges, and ultimately steal and encrypt data before extorting victims into paying a ransom. One of the most recent examples includes the operators of Crypto24, a

Score
77
100.0% similarity
Read more
3
Crypto24 ransomware hits large orgs with custom EDR evasion tool

Crypto24 ransomware hits large orgs with custom EDR evasion tool

BleepingComputer 9 hours ago

Crypto24 ransomware hits large orgs with custom EDR evasion tool Bill Toulas August 14, 2025 01:53 PM 0 The Crypto24 ransomware group has been using custom utilities to evade security solutions on breached networks, exfiltrate data, and encrypt files. The threat group's earliest activity was reported on BleepingComputer forumsin September 2024, though it never reached notable levels of notoriety. According to Trend Micro researchers tracking Crypto24's operations, the hackers have hit several la

Score
71
95.0% similarity
Read more