1. Overview
Crypto24 is an emerging ransomware group first identified in early 2024, known for its data theft and encryption-based extortion campaigns. Operating with a quiet but deliberate methodology, Crypto24 favours low-volume, high-impact attacks, typically against small to mid-sized enterprises with moderate cybersecurity maturity and valuable operational data.
Despite its name, Crypto24 is not affiliated with cryptocurrency investment fraud, though its branding and infrastructure suggest an attempt to capitalise on the perceived legitimacy of digital finance platforms. The group operates under a double extortion model, encrypting data while threatening to leak stolen files if ransom demands are not met.
Crypto24’s victims span multiple sectors, including retail, logistics, legal, and financial services, with several cases observed in Europe and the United Kingdom.
2. Origin and Evolution
Crypto24 was first observed in the wild in January 2024, following an attack on a small logistics firm in Southern Europe. While initial payloads were rudimentary, the group has since matured quickly, adopting custom-built ransomware, bespoke TOR-based negotiation portals, and enhanced anti-forensic routines.
Its campaigns suggest a focus on English- and German-speaking targets, with TOR and clearnet infrastructure presented in both languages. The group has been observed refining its delivery methods, most recently incorporating phishing lures disguised as invoice payment reminders, targeting financial departments.
3. Tactics, Techniques, and Procedures (TTPs)
Crypto24 typically follows a familiar but carefully staged intrusion chain:
- Initial Access:
Delivered through phishing emails (T1566.001) containing malicious Office macros or PDF attachments, and occasionally via exposed remote access portals (T1133) lacking MFA. - Lateral Movement:
The group uses RDP, PsExec, and manually scripted batch files to traverse internal networks (T1021). Privilege escalation is often achieved using stolen credentials harvested with Mimikatz or from browser memory. - Data Exfiltration:
Rclone and WinSCP are the tools of choice for exfiltrating sensitive data, often staged in password-protected ZIP archives (T1041). - Encryption:
The ransomware encrypts user and shared directories, appending the.crypto24extension. Ransom notes include instructions to access a negotiation portal over TOR and often reference GDPR or reputational consequences. - Persistence & Evasion:
The group uses registry changes (T1112), disables recovery features viavssadmin, and deploys LOLBins to avoid detection.
4. Targeting Profile
Crypto24 targets organisations that are data-reliant but often under-resourced in cyber defence, including:
- Retail and e-commerce platforms
- Logistics and supply chain management firms
- Legal services and accountancy practices
- Mid-sized financial consultancies
UK-based organisations are among the group’s preferred targets, particularly those handling client-sensitive data or business-critical IP, and lacking fully segmented networks or offsite backups.
5. Notable Campaigns and Victims
Crypto24 is still building its victim portfolio, but publicly disclosed or leaked cases include:
- A German-based architectural firm, where AutoCAD files and client contracts were exfiltrated and held for ransom.
- A UK retail franchise group, affected by payment system encryption and exfiltration of customer order data.
- An Italian legal firm, with confidential case files posted as proof-of-compromise.
The group often issues proof-of-hack documents early in the extortion process, including screenshots of file trees, employee credentials, and internal correspondence.
6. Ransomware and Leak Site Behaviour
Crypto24 does not currently operate a public leak site. Instead, it relies on:
- Direct email or portal-based communication with the victim
- Password-protected “proof packs” shared via anonymous file hosts
- Threats to publish stolen data on forums or sell it to competitors or cybercriminal marketplaces
This more discrete extortion approach is consistent with its low-profile strategy, but should not be mistaken for leniency—the group enforces deadlines and escalates quickly.
7. Technical Indicators
Common technical indicators linked to Crypto24 operations include:
- File extension:
.crypto24 - Ransom notes named
README_CRYPTO24.txtorHOW_TO_RECOVER_FILES.txt - Use of
rclone.exe,winscp.exe, and custom PowerShell scripts - Connections to TOR-based negotiation portals and temporary domains hosted in Eastern Europe
- Registry edits disabling Event Logging and Volume Shadow Copies
Full IOC packs, Sigma rules, and YARA signatures are available through UK Cyber Defence Ltd’s Threat Intelligence programme.
8. Defensive Measures and Recommendations
To mitigate the threat of Crypto24:
- Deploy email filtering and sandboxing to detect weaponised attachments
- Enforce MFA for all remote access and admin services
- Monitor for use of compression tools, RDP connections, and unexpected lateral movement
- Maintain offline and immutable backups, tested regularly
- Conduct role-specific cyber awareness training, particularly for finance staff
- Develop an incident response playbook that includes ransomware and data breach handling
9. Attribution and Alliances
Crypto24 has not been linked to any known ransomware-as-a-service cartel. It appears to operate as a standalone group, possibly with ties to financially motivated Eastern European actors. Its infrastructure, payment design, and operational cadence suggest a self-contained operation focused on financial gain rather than disruption or ideology.
There is currently no known state affiliation, though language artefacts suggest multilingual operators with access to English- and German-speaking resources.
10. Conclusion
Crypto24 may be a newer player, but its focused, strategic intrusions and quick evolution make it a serious threat to underprepared organisations. Its hybrid extortion model, combined with low visibility and professional negotiation portals, enables it to operate below the radar of many traditional defences. UK-based SMEs and data-heavy firms should view Crypto24 as a credible adversary and review their exposure to ransomware risk accordingly.
Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025
