Crypto24 is a ransomware operation described as emerging in late 2023 and active against large organizations in the United States, Europe, and Asia. Reporting cited in the content says it has been deployed against nearly two dozen companies since April and has targeted sectors including financial services, manufacturing, entertainment, and technology. It is associated with double extortion: operators are reported to steal data and encrypt systems, and the group claimed responsibility for the Artemis Healthcare incident, alleging exfiltration of 1 TB of data and subsequently leaking the stolen data.
The intrusion tradecraft described for Crypto24 combines living-off-the-land techniques with custom malware and emphasizes stealth, including operating during off-peak hours. Reported reconnaissance includes WMIC for disk, memory, and OS enumeration, and net user / net localgroup for account and group discovery. Persistence and privilege maintenance reportedly include scheduled tasks executing %ProgramData%\Update\update.vbs and %ProgramData%\Update\vm.bat, malicious services created via sc.exe masquerading under svchost.exe, reactivation of dormant default administrator accounts, creation of generic-named accounts with net.exe, addition of accounts to local Administrators and Remote Desktop Users groups, use of runas.exe, and UAC bypass via the CMSTPLUA COM interface {3E5FC7F9-9A51-4367-9063-A120244FBEC7}. Lateral movement and remote access reportedly include PsExec/psexec64.exe, enabling RDP by setting HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections to 0, adding a firewall rule for inbound TCP/3389 with netsh advfirewall, and network discovery with Advanced IP Scanner 3.9.1.
A notable defense-evasion capability is Crypto24’s reported use of a customized version of the open-source RealBlindingEDR tool. Trend Micro reported that this variant disables kernel-level hooks for a hardcoded list of 28 security vendors by reading driver metadata and disabling callbacks when a listed vendor is identified, rendering targeted EDR products ineffective. Vendors explicitly mentioned in the content include Sophos, Trend Micro, Kaspersky, Malwarebytes, Bitdefender, Broadcom/Symantec, SentinelOne, Cisco, Fortinet, Citrix, McAfee, and Gen Digital. The EDR-bypass tooling is also described as loading Microsoft security drivers including WdFilter.sys, MpKslDrv.sys, mpsdrv.sys, and WdNisDrv.sys based on a numeric argument. Associated file paths mentioned for this tooling include %USERPROFILE%...\AppData\Local\Temp\Low\AVB.exe, %USERPROFILE%...\AppData\Local\Temp\Low\AVMon.exe, and %PROGRAMDATA%\update\avb.exe. Trend Micro also observed abuse of gpscript.exe to remotely execute the Trend Vision One uninstaller after administrator privileges had already been obtained.
The content also describes a custom keylogger component persisted as a Windows service. A service named WinMainSvc is reported with a binPath referencing C:\Windows\System32\scvhost.exe -k WinMainSvc, and the keylogger DLL is identified as WinMainSvc.dll. Another service, MSRuntime, is described with binPath C:\Windows\System32\svchost.exe -k MSRuntime and display name "Microsoft Runtime Manager." The keylogger reportedly checks that it is running under C:\Windows\system32\svchost.exe and exfiltrates captured keystrokes via the WinINet API to Google Drive / Google Drive API endpoints including www.googleapis.com. More broadly, Crypto24 is reported to exfiltrate stolen data to Google Drive.
The ransomware payload itself is described as protected with VMProtect virtualization and using API hashing/obfuscation to resolve NTDLL functions at runtime. Reported behaviors include deleting Volume Shadow Copies with vssadmin delete shadows /all /quiet, writing logs to erls.txt, appending the .crypto24 extension to encrypted files, dropping a ransom note named Decryption.txt, and performing cleanup/self-deletion to reduce forensic artifacts.
High-confidence indicators and artifacts directly mentioned in the content include the .crypto24 file extension, the Decryption.txt ransom note, erls.txt log file, service names WinMainSvc and MSRuntime, PSEXESVC.exe, WinMainSvc.dll, the paths %ProgramData%\Update\update.vbs, %ProgramData%\Update\vm.bat, and %PROGRAMDATA%\update\avb.exe, and the analyzed sample SHA-256 hashes 3b0b4a11ad576588bae809ebb546b4d985ef9f37ed335ca5e2ba6b886d997bac, 686bb5ee371733ab7908c2f3ea1ee76791080f3a4e61afe8b97c2a57fbc2efac, and 24f7b66c88ba085d77c5bd386c0a0ac3b78793c0e47819a0576b60a67adc7b73.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware operation that compromises victim networks, exfiltrates data for extortion, and leaks stolen data on a dark web data leak site when ransom is not paid.
Ransomware family/operation that performs double extortion (data theft + encryption), appends the .crypto24 extension, drops a ransom note (Decryption.txt), uses service-based persistence (MSRuntime via svchost.exe), employs VMProtect and API hashing for evasion/anti-analysis, attempts to disable defenses and delete shadow copies, and terminates sync/cloud processes to maximize encryption impact.
Ransomware group using a combination of legitimate tools and custom malware to conduct stealthy attacks.
Ransomware operation targeting large organizations; noted for using custom EDR evasion tooling, a custom keylogger, and data exfiltration tooling (including exfiltration to Google Drive).
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.