What’s new: The Crypto24 ransomware group has developed custom tools to evade endpoint detection and response (EDR) solutions, targeting large organizations across the finance, manufacturing, entertainment, and tech sectors. Their tactics include activating default administrative accounts, creating malicious services for persistence, and using a modified version of the open-source tool RealBlindingEDR to disable security agents from multiple vendors. The group exfiltrates data to Google Drive and executes ransomware after deleting volume shadow copies to hinder recovery.
Who’s affected
Large organizations in the United States, Europe, and Asia, particularly in high-value sectors such as finance, manufacturing, entertainment, and technology, are being targeted by the Crypto24 ransomware group.
What to do
- Review and enhance endpoint security measures to detect and block the custom EDR evasion techniques used by Crypto24.
- Monitor for unusual account activity, especially the activation of default administrative accounts or creation of new local user accounts.
- Implement strict access controls and regularly update security software to mitigate vulnerabilities.
- Utilize the provided indicators of compromise (IOCs) to identify and respond to potential Crypto24 ransomware attacks.
