The Crypto24 ransomware group uses a combination of living-off-the-land (LOTL) and custom malware techniques to disable endpoint detection and response (EDR) tools in its attacks, Trend Micro described in a blog post Thursday.Crypto24 also deploys a keylogger for continued surveillance, in addition to its ransomware payload, and exfiltrates data via Google Drive.Trend Micro outlined the LOTL and custom methods leveraged by Crypto24 to establish a foothold, escalate privileges, maintain persistence, evade defenses and achieve lateral movement in a recent attack.Upon initial access, attackers leveraged the Windows net.exe utility to create new users, add users to privileged groups and reactivate disabled administrative accounts. The attacker then abused runas.exe and PSExec64.exe to run local and remote commands with these accounts’ elevated privileges.A script called “1.bat” was used to run Windows Management Instrumentation Command-line (WMIC) commands for initial reconnaissance, gathering information about disk partitions and system memory, local user accounts, and user group memberships.To maintain persistence, the threat actor abused Windows Scheduled Tasks to periodically execute files located at %ProgramData%\Update\ and also established new services to facilitate deployment of its payloads using the sc.exe Windows utility.An EDR disabling tool, identified as a customized version of the open-source RealBlindingEDR tool, was used to remove callbacks from products from a predefined list of nearly 30 security vendors, including Trend Micro.However, the attacker also leveraged their elevated admin privileges to invoke the Group Policy Script Application gpscript.exe and remotely execute the Trend Vision One uninstaller, removing EDR protection.Crypto24 used an IP scanner to help identify additional network devices, leveraged PSExec64.exe for remote command execution and enabled remote desktop protocol (RDP) connections to facilitate lateral movement.The keylogger, run as the service WinMainSvc.dll, uploads its collected keystroke information to a Google Drive, which would likely raise less suspicion that sending it to a separate remote server.The ransomware payload, run as the service MSRuntime.dll, was initially blocked by Trend Micro’s EDR but later encrypted files and deployed its ransom note after the EDR uninstaller was deployed.Crypto24 mostly targets entities within large corporations and enterprises, including those in the financial services, manufacturing, entertainment and technology sectors in the United States, Europe and Asia.Trend Micro recommends its customers enable its self-protection feature, which prevents local users from modifying or removing Trend Micro products. This could help prevent disabling of the EDR via compromised accounts, even those with elevated privileges. The company also noted that speedy detection and remediation of ransomware threats is crucial, as attackers like Crypto24 may lurk for extended periods of time on infected networks, conducting reconnaissance and other activities before delivering their final payloads.“Proactive detection, timely investigation, and swift remediation are essential to disrupting such activities and minimizing potential impact,” the researchers wrote.
Ransomware, Threat Intelligence, EDR
Crypto24 ransomware attacks disable EDR with custom and legitimate tools
(Adobe Stock)
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds