The Crypto24 ransomware group has been using custom utilities to evade security solutions on breached networks, exfiltrate data, and encrypt files.
The threat group's earliest activity was reported on BleepingComputer forums in September 2024, though it never reached notable levels of notoriety.
According to Trend Micro researchers tracking Crypto24's operations, the hackers have hit several large organizations in the United States, Europe, and Asia, focusing on high-value targets in the finance, manufacturing, entertainment, and tech sectors.
The security researchers report that Crypto24 appears to be knowledgeable and well-versed, suggesting a high likelihood that it was formed by former core members of now-defunct ransomware operations.
Post-compromise activity
After gaining initial access, Crypto24 hackers activate default administrative accounts on Windows systems within enterprise environments or create new local user accounts for stealthy, persistent access.
Following a reconnaissance phase using a custom batch file and commands that enumerate accounts, profile system hardware, and the disk layout, the attacker creates malicious Windows services and scheduled tasks for persistence.
The first is WinMainSvc, a keylogger service, and the second is MSRuntime, a ransomware loader.
Commands and processes used for escalating privileges
Source: Trend Micro
... continue reading