Blog

Crypto24 Ransomware Group – EDR Bypass

Crypto24 ransomware wreaks havoc on enterprise networks with stealth EDR evasion

Organizations across multiple sectors are grappling with attacks from the Crypto24 ransomware group, known for their sophisticated stealth techniques and EDR evasion. First observed in September 2024, Crypto24 has been leveraging legitimate Windows tools combined with custom malware to bypass security defenses and escalate privileges. Trend Micro and BleepingComputer confirm that large-scale campaigns have already targeted financial, healthcare, and logistics networks.

During initial compromises, attackers execute discovery commands to map system configurations and accounts:

cmd.exe /c ‘\Scan\1.bat’wmic partition get name,size,type  | wmic COMPUTERSYSTEM get TotalPhysicalMemory,caption 
cmd.exenet user | net localgroup

This allows them to enumerate users, groups, and hardware details before moving further.

Persistence

Persistence is established via scheduled tasks and malicious services:

  • Batch and scripts in %ProgramData%\Update\ (update.vbs, vm.bat) run at regular intervals
  • Services are created with sc.exe to deploy a keylogger (WinMainSvc) and the ransomware itself (MSRuntime) for long-term system control

Privilege escalation

Privilege escalation follows using runas.exe and PsExec, adding accounts to administrators and launching remote shells:

  • net.exe localgroup administrators username /add
  • runas.exe /user:administrator cmd
  • $mytemp$\low\psexec64.exe -u -p cmd

This ensures attackers can operate with high-level access across systems.

Defense Evasion: Impair Defenses – RealBlindingEDR

The attackers leverage RealBlindingEDR to disable security products and evade detection.

RealBlindingEDR targets and clears several kernel-level callbacks, including:

  • Callbacks registered via CmRegisterCallback(Ex)
  • MiniFilter driver callbacks
  • Callbacks registered via ObRegisterCallbacks()
  • Process creation and thread creation callbacks via PsSetCreateProcessNotifyRoutine(Ex) and PsSetCreateThreadNotifyRoutine(Ex)
  • Image load callbacks via PsSetLoadImageNotifyRoutine(Ex)

By removing these kernel callbacks, the tool enables three main effects against AV/EDR solutions:

  1. Blinding AV/EDR: It prevents monitoring of processes, threads, file operations, registry changes, and high-privilege handle acquisition, while allowing the AV/EDR process to continue running to avoid detection due to sudden disconnection.
  2. Permanent AV/EDR disablement: With registry and MiniFilter notifications removed, AV/EDR can be permanently disabled—even after a system reboot—by modifying the registry or deleting AV/EDR files.
  3. Termination of AV/EDR processes: Removal of object handle callbacks allows normal administrator accounts to terminate AV/EDR processes directly.

Lateral Movement

Lateral movement is achieved with PsExec and remote services, while credential theft is performed by the keylogger WinMainSvc.dll, deployed via run_new.bat. TightVNC installation ensures persistent remote access and continued data capture, including credentials and sensitive files.

Evolving Threats

This campaign highlights how modern ransomware combines traditional attack techniques with custom malware and EDR evasion, posing severe operational and reputational risks. Therefore, companies must continuously evolve and adapt their cybersecurity strategies to effectively counter these threats.

Where to focus for monitoring rules:

For effective monitoring, attention should be on anomalous remote connections, unusual process execution patterns, EDR bypass attempts, and new user account activity. Observing these indicators allows teams to detect attacks early, respond promptly, and minimize operational impact without requiring deep technical investigation for every alert.

Phishing-Driven Threats

This campaign demonstrates how highly dangerous ransomware often leverages phishing as its primary infection vector. The combination of sophisticated malware and EDR evasion significantly increases operational and reputational risks. Therefore, companies must ensure that all employees, regardless of their sector, are well-informed and aware of these threats, fostering a culture of caution and vigilance to prevent accidental infections.

  • 26 Views

you may also like

New MadeYouReset HTTP/2 Vulnerability

Cyberpunk-style illustration of a server being overwhelmed by neon-colored data streams from multiple sources, representing a DDoS attack. A glowing shield labeled "Cyberdefence" protects the server, with icons for finance, gaming, and healthcare industries in the background.

The Growing Threat of DDoS Attacks And How to Defend Against Them

A DDoS attack can bring your business to a standstill in minutes — costing you revenue, reputation, and customers. In this guide, we break down what DDoS attacks are, the damage they cause, common targets, and how to prepare a strong defense. Discover how Cyberdefence’s 24/7 monitoring, global mitigation network, and expert response team keep your business online and secure.
xample of similar-looking domain names showing how domain impersonation works

How to Stop Domain Impersonation Before It Hurts Your Business

Domain impersonation is one of the fastest-growing cyber threats targeting businesses today. Learn how attackers exploit look-alike domains, the impact these attacks can have on your brand and customers, and the most effective strategies to protect your business. Discover how Cyberdefence helps stop domain impersonation before it causes financial loss or damages your reputation
Illustration of whale phishing showing a large whale symbolizing executives targeted by cybercriminals in a phishing attack.

What Is Whale Phishing? Understanding Whaling Attacks

Whale phishing, or whaling, is a highly targeted cyberattack aimed at top executives like CEOs and CFOs. Unlike regular phishing, these attacks use personalized emails to steal sensitive data or authorize fraudulent transactions. Learn what makes whaling different, who is most at risk, and how to protect your business from devastating financial and reputational losses.
Security Posture

Building a Resilient Future: The Importance of a Strong Security Posture

A strong security posture is essential in today’s cyber threat landscape. Learn why it matters, how to strengthen and monitor it, and how Cyberdefence helps businesses stay resilient against evolving digital threats.
insider threat image

The Insider Threat: When Cybersecurity Risks Come From Within

Insider threats aren’t always obvious—and they’re often the most dangerous. From careless employees to malicious actors with privileged access, internal risks can cause serious damage to any organization. In this post, we explore the different types of insider threats, who’s most at risk, what access attackers are after, and real-world examples that show just how damaging these threats can be.

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence