The Crypto24 ransomware group employs sophisticated utilities and tactics to evade detection, exfiltrate data, and encrypt files across diverse sectors. The groupβs operations include privilege escalation, disabling security tools, and using cloud services for data exfiltration. #Crypto24 #TrendMicro #Ransomware #DataExfiltration
Keypoints
- Crypto24 uses custom utilities to bypass security defenses and encrypt data.
- The group targets high-value organizations in finance, manufacturing, entertainment, and tech sectors.
- Post-compromise activities include creating malicious services and using custom tools for persistence and privilege escalation.
- They disable security solutions like Kaspersky, Sophos, and McAfee using a custom version of RealBlindingEDR.
- The attackers exfiltrate stolen data to Google Drive and delete volume shadow copies to hinder recovery.