TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

Crypto24 Ransomware Group Blends Legitimate Tools with Custom Malware for Stealth Attacks

Krisford Macalalad · 2025-08-14 · Read original ↗

ATT&CK techniques detected

28 predictions
T1056.001Keylogging
100%
"keylogger was configured to capture sensitive data, including credentials, and ensured persistence by creating a scheduled task. table 6. processes and corresponding command lines for the collection and credential access stages keylogger details : winmainsvc. dll winmainsvc. dll …"
T1486Data Encrypted for Impact
99%
"c : \ program files \ windowsapps \ - c : \ programdata - c : \ programdata \ ahnlab - c : \ programdata \ dropbox \ - c : \ programdata \ estsoft - c : \ programdata \ microsoft onedrive \ - c : \ programdata \ vmware - c : \ users - c : \ users \. n - c : \ users \ all users - …"
T1486Data Encrypted for Impact
98%
"##ware deploys a ransom note named decryption. txt that implements a double extortion strategy — combining data encryption with threats of public data exposure to maximize pressure for ransom payment. the ransomware implements comprehensive anti - forensic measures, including sel…"
T1486Data Encrypted for Impact
96%
"controls, including edr solutions, and employing purpose - built tools to bypass defenses. the attackers demonstrate a clear understanding of enterprise defense stacks and an ability to circumvent them. crypto24 serves as a warning that modern ransomware groups are highly adaptiv…"
T1486Data Encrypted for Impact
95%
"management, consistent with the principle of least privilege, remain protected from such attacks. significance the crypto24 campaign represents a dangerous evolution in ransomware operations. unlike more conventional groups, the threat actor demonstrates a high level of operation…"
T1021.001Remote Desktop Protocol
95%
"##cing unauthorized access by enabling rdp connections once again. this use of native windows utilities demonstrates efforts to evade detection and maintain persistence. table 7. enabling rdp and configuring the system ' s firewall to facilitate unrestricted remote access to furt…"
T1486Data Encrypted for Impact
88%
"and immediately terminated the ransomware ' s behavior. after several hours, the threat actor deployed an uninstaller for edr solutions via group policy object ( gpo ), followed by a subsequent successful execution of the ransomware payload. evidence of this was seen in the creat…"
T1047Windows Management Instrumentation
86%
"system via the wmic command as part of their reconnaissance efforts. the collected information included disk partition names, sizes, and types to understand storage configuration ; total physical memory and system caption to assess hardware capabilities ; local user accounts to m…"
T1219Remote Access Tools
86%
"the threat actor persistently created administrative accounts, initiated remote desktop protocol ( rdp ) sessions, and used the previously mentioned tools to maintain access. the attackers escalated their activities by deploying a tool resembling realblindingedr, a utility specif…"
T1486Data Encrypted for Impact
85%
"to offer insights into its operator ’ s ongoing attack campaigns. our analysis reveals that the threat actor operates with a high level of coordination, frequently launching attacks during off - peak hours to evade detection and maximize impact. crypto24 has been targeting high -…"
T1486Data Encrypted for Impact
84%
"block the attack, endpoints with weaker security configurations or disabled protections could remain susceptible. in such cases, an attacker could gain access and perform actions such as uninstalling security solutions via administrative scripts and remote desktop with elevated p…"
T1056.001Keylogging
79%
"##defender - avira - symantec - broadcom - total security - trellix - sentinel - rsupport - ahnlab - cynet - panda - cylance - open text - sangfor technologies - quick heal - cososys - cisco systems - mcafee - fortinet - comodo security solutions - acronis - citrix lateral moveme…"
T1219Remote Access Tools
78%
"##cing unauthorized access by enabling rdp connections once again. this use of native windows utilities demonstrates efforts to evade detection and maintain persistence. table 7. enabling rdp and configuring the system ' s firewall to facilitate unrestricted remote access to furt…"
T1078.003Local Accounts
77%
"being another regular ransomware campaign — crypto24 attacks demonstrate that threat actors have studied our security stacks, identified systematic weaknesses, and built purpose - designed tools to exploit them. organizations using similar defenses should consider themselves at i…"
T1080Taint Shared Content
77%
"to offer insights into its operator ’ s ongoing attack campaigns. our analysis reveals that the threat actor operates with a high level of coordination, frequently launching attacks during off - peak hours to evade detection and maximize impact. crypto24 has been targeting high -…"
T1548.002Bypass User Account Control
77%
"##fc7f9 - 9a51 - 4367 - 9063 - a120244fbec7 } ) to bypass user account control ( uac ) restrictions. this technique, previously observed in sophisticated ransomware families including blackcat and lockbit, enables execution with elevated privileges without triggering uac prompts.…"
T1486Data Encrypted for Impact
63%
"crypto24 ransomware group blends legitimate tools with custom malware for stealth attacks key takeaways - the operators of the crypto24 ransomware conduct coordinated, multi - stage attacks using both legitimate tools and custom malware to gain access, move laterally, and evade d…"
T1021.001Remote Desktop Protocol
53%
"##o24. - regularly audit and limit the creation and use of privileged accounts ; disable unused default administrative accounts. - limit rdp and remote tool usage ( e. g., psexec, anydesk ) to authorized systems ; enable mfa and routinely review firewall configurations. - detect …"
T1080Taint Shared Content
48%
"controls, including edr solutions, and employing purpose - built tools to bypass defenses. the attackers demonstrate a clear understanding of enterprise defense stacks and an ability to circumvent them. crypto24 serves as a warning that modern ransomware groups are highly adaptiv…"
T1486Data Encrypted for Impact
43%
"##ler from a network share. we observed cases where attackers executed the trend vision one uninstaller, xbcuninstaller. exe, via gpscript. exe. the file in question is a legitimate tool provided by trend micro for troubleshooting, specifically to resolve issues such as fixing in…"
T1543.003Windows Service
42%
"##fc7f9 - 9a51 - 4367 - 9063 - a120244fbec7 } ) to bypass user account control ( uac ) restrictions. this technique, previously observed in sophisticated ransomware families including blackcat and lockbit, enables execution with elevated privileges without triggering uac prompts.…"
T1569.002Service Execution
42%
"##fc7f9 - 9a51 - 4367 - 9063 - a120244fbec7 } ) to bypass user account control ( uac ) restrictions. this technique, previously observed in sophisticated ransomware families including blackcat and lockbit, enables execution with elevated privileges without triggering uac prompts.…"
T1080Taint Shared Content
33%
"crypto24 ransomware group blends legitimate tools with custom malware for stealth attacks key takeaways - the operators of the crypto24 ransomware conduct coordinated, multi - stage attacks using both legitimate tools and custom malware to gain access, move laterally, and evade d…"
T1021.001Remote Desktop Protocol
33%
"the threat actor persistently created administrative accounts, initiated remote desktop protocol ( rdp ) sessions, and used the previously mentioned tools to maintain access. the attackers escalated their activities by deploying a tool resembling realblindingedr, a utility specif…"
T1585Establish Accounts
31%
"crypto24 ransomware group blends legitimate tools with custom malware for stealth attacks key takeaways - the operators of the crypto24 ransomware conduct coordinated, multi - stage attacks using both legitimate tools and custom malware to gain access, move laterally, and evade d…"
T1078Valid Accounts
31%
"##o24. - regularly audit and limit the creation and use of privileged accounts ; disable unused default administrative accounts. - limit rdp and remote tool usage ( e. g., psexec, anydesk ) to authorized systems ; enable mfa and routinely review firewall configurations. - detect …"
T1564.006Run Virtual Instance
31%
"c : \ program files \ windowsapps \ - c : \ programdata - c : \ programdata \ ahnlab - c : \ programdata \ dropbox \ - c : \ programdata \ estsoft - c : \ programdata \ microsoft onedrive \ - c : \ programdata \ vmware - c : \ users - c : \ users \. n - c : \ users \ all users - …"
T1569.002Service Execution
31%
"and control windows services, to establish new services for the deployment of a keylogger and the crypto24 ransomware : - keylogger : sc create winmainsvc type = share start = auto binpath = " c : \ windows \ system32 \ scvhost. exe - k winmainsvc " - ransomware : sc create msrun…"

Summary

Crypto24 is a ransomware group that stealthily blends legitimate tools with custom malware, using advanced evasion techniques to bypass security and EDR technologies.