Security researchers have recently identified a new threat in the cybersecurity landscape, revealing that the Crypto24 ransomware group is employing sophisticated tactics to disable antivirus (AV) protections before launching their attacks. This group, which emerged in September 2024, appears to be composed of highly skilled individuals, likely former members of other now-defunct hacking collectives.
Crypto24
According to experts from Trend Micro, the group utilizes a custom variant of an open-source tool known as RealBlindingEDR.malware. This tool is designed to neutralize AV defenses, with some instances reported where it can even uninstall antivirus programs entirely. Once the hackers gain initial access and establish persistence within a target system, they typically deploy two types of malware: a keylogger and an encryptor. The data harvested during these attacks is exfiltrated to a Google Drive using a specialized tool developed by the group.
While the exact identity and location of Crypto24 remain shrouded in mystery, the group has already made its mark by successfully targeting several large organizations across the United States, Europe, and Asia. Their focus appears to be on sectors such as finance, manufacturing, technology, and entertainment, indicating a strategic approach to selecting high-value targets.
To counteract the threats posed by groups like Crypto24, cybersecurity experts advocate for a layered defense strategy. Companies are encouraged to implement reputable antivirus solutions equipped with tamper protection, enable real-time monitoring and firewalls, and consider utilizing additional anti-malware tools that can complement existing AV systems. This multi-faceted approach is essential in mitigating the risks associated with increasingly sophisticated cyberattacks.
