Ransomware Actors Blending Legitimate Tools with Custom Malware to Evade Detection

The cybersecurity landscape faces a new sophisticated threat as the Crypto24 ransomware group demonstrates an alarming evolution in attack methodology, seamlessly blending legitimate administrative tools with custom-developed malware to execute precision strikes against high-value targets.

This emerging ransomware operation has successfully compromised organizations across Asia, Europe, and the United States, with a particular focus on financial services, manufacturing, entertainment, and technology sectors.

Unlike conventional ransomware campaigns that rely heavily on encryption-focused attacks, Crypto24 operators exhibit exceptional operational maturity by strategically timing their attacks during off-peak hours to minimize detection risks while maximizing impact potential.

The group’s sophisticated arsenal includes legitimate tools such as PSExec for lateral movement, AnyDesk for persistent remote access, and keyloggers for credential harvesting, all integrated with Google Drive for stealthy data exfiltration capabilities.

The threat actors demonstrate advanced technical expertise through their deployment of a customized version of RealBlindingEDR, an open-source tool designed to disable security solutions.

Trend Micro analysts identified this variant as particularly dangerous due to its ability to neutralize modern defensive mechanisms, likely exploiting unknown vulnerable drivers to achieve kernel-level access and disable endpoint detection systems.

What sets Crypto24 apart from other ransomware operations is their methodical approach to understanding enterprise security stacks.

The group has systematically studied defensive architectures and developed purpose-built tools to exploit identified weaknesses, representing a dangerous shift from opportunistic attacks to targeted, intelligence-driven operations that demonstrate patience and strategic planning uncommon in commodity ransomware.

Advanced Evasion Through Living Off The Land Tactics

The most concerning aspect of Crypto24’s methodology lies in their masterful exploitation of legitimate Windows utilities to achieve malicious objectives while maintaining operational stealth.

The attackers leverage gpscript.exe, a legitimate Group Policy utility, to remotely execute security software uninstallers from network shares, effectively removing endpoint protection before lateral movement phases.

The group’s persistence mechanisms reveal sophisticated understanding of Windows architecture.

They create multiple administrative accounts with generic names to avoid detection during routine security audits, using standard net.exe commands to establish privileged access.

Their reconnaissance capabilities are equally advanced, employing batch files like 1.bat to gather comprehensive system intelligence through Windows Management Instrumentation Commands (WMIC).

wmic partition get name,size,type
wmic COMPUTERSYSTEM get TotalPhysicalMemory,caption
net user
net localgroup

Perhaps most troubling is their deployment of WinMainSvc.dll as a keylogger service, configured to capture sensitive credentials while masquerading as legitimate system processes.

The malware includes sophisticated evasion checks, ensuring execution only through svchost.exe to prevent sandbox analysis.

This keylogger establishes persistent surveillance capabilities that outlast the initial infection, creating ongoing exposure risks for compromised organizations.

The Crypto24 campaign represents a critical inflection point in ransomware evolution, where threat actors have moved beyond simple encryption schemes to develop comprehensive attack platforms that study, adapt to, and systematically defeat modern cybersecurity defenses.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.