Ransomware Groups Exploiting Legitimate Tools with Malware to Evade Detection
A newly identified ransomware operation known as Crypto24 is raising alarms in the cybersecurity community. Unlike traditional groups, Crypto24 demonstrates advanced tactics by combining legitimate administrative tools with custom malware, enabling precise attacks against high-value organizations.
Global Targeting of Critical Sectors
The campaign has successfully compromised organizations across Asia, Europe, and the United States, with primary focus on industries such as financial services, manufacturing, entertainment, and technology.
Unlike standard ransomware operations that mainly rely on file encryption, Crypto24 operators exhibit high operational maturity, launching attacks during off-peak hours. This strategy reduces the risk of detection while maximizing damage and disruption.
Arsenal of Legitimate and Malicious Tools
The group integrates widely used utilities with custom-developed malware, creating a dangerous blend of stealth and persistence. Their toolkit includes:
- PSExec for lateral movement
- AnyDesk for remote access persistence
- Keyloggers for credential harvesting
- Google Drive integration for covert data exfiltration
Adding to the threat, the attackers employ a modified version of RealBlindingEDR, an open-source tool repurposed to disable modern security defenses. Analysts at Trend Micro highlight this variant as particularly dangerous, as it likely exploits unknown vulnerable drivers to achieve kernel-level privileges and bypass endpoint detection.
telligence-Driven Operations
What distinguishes Crypto24 from conventional ransomware is its strategic intelligence-driven approach. The group thoroughly studies enterprise security architectures, designing customized tools to exploit specific weaknesses. This evolution represents a shift from opportunistic ransomware campaigns to targeted operations marked by patience, planning, and adaptability.
Living Off The Land Tactics for Stealth
A key highlight of Crypto24’s tactics is its reliance on Living Off The Land (LotL) techniques. By leveraging built-in Windows tools, attackers maintain stealth while executing malicious objectives.
- gpscript.exe is used to remotely execute uninstallers from network shares, effectively removing security software before lateral movement.
- Administrative accounts are created with generic names using net.exe, ensuring privileged persistence while avoiding detection during audits.
- Reconnaissance is carried out via batch scripts like 1.bat, collecting intelligence with WMIC commands:
wmic partition get name,size,type
wmic COMPUTERSYSTEM get TotalPhysicalMemory,caption
net user
net localgroup
Credential Theft and Persistent Surveillance
Perhaps the most concerning element of Crypto24’s campaign is its keylogger component (WinMainSvc.dll). Disguised as a legitimate system process, it runs exclusively through svchost.exe to evade sandbox analysis.
This component enables continuous credential theft, ensuring attackers maintain access even after initial compromises. The persistence mechanisms highlight Crypto24’s deep understanding of Windows internals and long-term espionage strategies.
A Turning Point in Ransomware Evolution
The Crypto24 campaign reflects a critical moment in ransomware’s evolution. Attackers are moving beyond simple encryption schemes, instead building comprehensive attack frameworks that adapt to modern defenses, exploit enterprise blind spots, and establish long-lasting infiltration.
This development underscores the urgent need for organizations to strengthen endpoint protection, monitor for LotL abuse, and improve incident response readiness against increasingly intelligence-driven ransomware threats.
