Skip to content
Ransomware group

Crypto24

Crypto24 is a ransomware operation described as emerging in late 2023 and active against large organizations in the United States, Europe, and Asia.

Profile source: Mallory opens in a new tab

Crypto24

Family profile

Crypto24 is a ransomware operation described as emerging in late 2023 and active against large organizations in the United States, Europe, and Asia. Reporting cited in the content says it has been deployed against nearly two dozen companies since April and has targeted sectors including financial services, manufacturing, entertainment, and technology. It is associated with double extortion: operators are reported to steal data and encrypt systems, and the group claimed responsibility for the Artemis Healthcare incident, alleging exfiltration of 1 TB of data and subsequently leaking the stolen data.

The intrusion tradecraft described for Crypto24 combines living-off-the-land techniques with custom malware and emphasizes stealth, including operating during off-peak hours. Reported reconnaissance includes WMIC for disk, memory, and OS enumeration, and net user / net localgroup for account and group discovery. Persistence and privilege maintenance reportedly include scheduled tasks executing %ProgramData%\Update\update.vbs and %ProgramData%\Update\vm.bat, malicious services created via sc.exe masquerading under svchost.exe, reactivation of dormant default administrator accounts, creation of generic-named accounts with net.exe, addition of accounts to local Administrators and Remote Desktop Users groups, use of runas.exe, and UAC bypass via the CMSTPLUA COM interface {3E5FC7F9-9A51-4367-9063-A120244FBEC7}. Lateral movement and remote access reportedly include PsExec/psexec64.exe, enabling RDP by setting HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections to 0, adding a firewall rule for inbound TCP/3389 with netsh advfirewall, and network discovery with Advanced IP Scanner 3.9.1.

A notable defense-evasion capability is Crypto24’s reported use of a customized version of the open-source RealBlindingEDR tool. Trend Micro reported that this variant disables kernel-level hooks for a hardcoded list of 28 security vendors by reading driver metadata and disabling callbacks when a listed vendor is identified, rendering targeted EDR products ineffective. Vendors explicitly mentioned in the content include Sophos, Trend Micro, Kaspersky, Malwarebytes, Bitdefender, Broadcom/Symantec, SentinelOne, Cisco, Fortinet, Citrix, McAfee, and Gen Digital. The EDR-bypass tooling is also described as loading Microsoft security drivers including WdFilter.sys, MpKslDrv.sys, mpsdrv.sys, and WdNisDrv.sys based on a numeric argument. Associated file paths mentioned for this tooling include %USERPROFILE%\...\AppData\Local\Temp\Low\AVB.exe, %USERPROFILE%\...\AppData\Local\Temp\Low\AVMon.exe, and %PROGRAMDATA%\update\avb.exe. Trend Micro also observed abuse of gpscript.exe to remotely execute the Trend Vision One uninstaller after administrator privileges had already been obtained.

The content also describes a custom keylogger component persisted as a Windows service. A service named WinMainSvc is reported with a binPath referencing C:\Windows\System32\scvhost.exe -k WinMainSvc, and the keylogger DLL is identified as WinMainSvc.dll. Another service, MSRuntime, is described with binPath C:\Windows\System32\svchost.exe -k MSRuntime and display name "Microsoft Runtime Manager." The keylogger reportedly checks that it is running under C:\Windows\system32\svchost.exe and exfiltrates captured keystrokes via the WinINet API to Google Drive / Google Drive API endpoints including www.googleapis.com. More broadly, Crypto24 is reported to exfiltrate stolen data to Google Drive.

The ransomware payload itself is described as protected with VMProtect virtualization and using API hashing/obfuscation to resolve NTDLL functions at runtime. Reported behaviors include deleting Volume Shadow Copies with vssadmin delete shadows /all /quiet, writing logs to erls.txt, appending the .crypto24 extension to encrypted files, dropping a ransom note named Decryption.txt, and performing cleanup/self-deletion to reduce forensic artifacts.

High-confidence indicators and artifacts directly mentioned in the content include the .crypto24 file extension, the Decryption.txt ransom note, erls.txt log file, service names WinMainSvc and MSRuntime, PSEXESVC.exe, WinMainSvc.dll, the paths %ProgramData%\Update\update.vbs, %ProgramData%\Update\vm.bat, and %PROGRAMDATA%\update\avb.exe, and the analyzed sample SHA-256 hashes 3b0b4a11ad576588bae809ebb546b4d985ef9f37ed335ca5e2ba6b886d997bac, 686bb5ee371733ab7908c2f3ea1ee76791080f3a4e61afe8b97c2a57fbc2efac, and 24f7b66c88ba085d77c5bd386c0a0ac3b78793c0e47819a0576b60a67adc7b73.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Ip

1 total
  • 45.63.9.192:5050

Email

1 total
  • crypto24support@pm.me

Reporting

Research mentioning Crypto24

Dec 30
Hipaa Journal

Artemis Healthcare Falls Victim to Ransomware Attack

"The Crypto24 ransomware group took responsibility for the attack and claimed on its dark web data leak site to have exfiltrated 1 terabyte of data..."

Sep 29
Picus Security

Crypto24 Ransomware Uncovered: Stealth, Persistence, and Enterprise-Scale Impact

Emerging in late 2023, Crypto24 has grown into a sophisticated ransomware operation targeting large enterprises across Asia, Europe, and the U.S.

Aug 17
Securityaffairs

Security Affairs newsletter Round 537 by Pierluigi Paganini – INTERNATIONAL EDITION

Crypto24 Ransomware Group Blends Legitimate Tools with Custom Malware for Stealth Attacks

Aug 15
Vulnu

🎓️ Vulnerable U | #129 - Top Industry Cybersecurity News

"New ransomware crew called Crypto24 has been making moves against big orgs across the US, Europe, and Asia since September."

Aug 14
Register Security

Ransomware crews don't care about your EDR • The Register

"...the operators of Crypto24, a new-ish ransomware... one way they evade detection is by using a customized version of RealBlindingEDR..."

Aug 14
Register Security

Ransomware crews don't care about your endpoint security – they've already killed it

One of the most recent examples includes the operators of Crypto24, a new-ish ransomware that has been deployed against nearly two dozen companies in the US, Europe, and Asia since April... after gaining initial access to victim organizations, one way they evade detection is by using a customized version of RealBlindingEDR.

Aug 14
Dragos

OT Ransomware Trends: Q2 2025 Analysis & Insights | Dragos

“...Crypto24… Each recorded 4 incidents…”

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.