Crypto24 Ransomware Uncovered: Stealth, Persistence, and Enterprise-Scale Impact

Emerging in late 2023, Crypto24 has grown into a sophisticated ransomware operation targeting large enterprises across Asia, Europe, and the U.S. 

The group distinguishes itself by blending living-off-the-land techniques with custom malware, executing attacks quietly during off-peak hours to avoid detection. Its use of a bespoke RealBlindingEDR tool to disable leading endpoint protections demonstrates advanced technical capability. 

Beyond encryption, Crypto24 conducts data theft and double extortion, often exfiltrating files via Google Drive. With selective targeting of financially and operationally critical sectors, Crypto24 has built a reputation for stealth, precision, and adaptability, making its campaigns especially impactful.

Analyzed Malware Samples of Crypto24 Ransomware Samples by Picus Labs

• SHA256: 3b0b4a11ad576588bae809ebb546b4d985ef9f37ed335ca5e2ba6b886d997bac
• SHA256: 686bb5ee371733ab7908c2f3ea1ee76791080f3a4e61afe8b97c2a57fbc2efac
• SHA256: 24f7b66c88ba085d77c5bd386c0a0ac3b78793c0e47819a0576b60a67adc7b73

In this blog, we are going to examine the group’s tactics, evasion techniques, and the implications for defenders.

Valid Accounts

Crypto24 leveraged account manipulation to maintain privileged access. 

Attackers reactivated dormant default administrator accounts and created new accounts with generic names to avoid raising suspicion. Using net.exe, they modified and re-enabled accounts, then added them to the Administrators group for elevated privileges.

This dual strategy of reusing built-in accounts and introducing fresh ones ensured redundant privileged access, reduced detection likelihood, and enabled reliable persistence for lateral movement and ransomware deployment.

Discovery

The actor conducted reconnaissance through two distinct command executions.

System Profiling via Batch Script

• wmic partition get name,size,type – enumerated disk partitions
• wmic computersystem get TotalPhysicalMemory,caption – collected memory and OS details.

This allowed the actor to build a profile of system hardware and storage configuration.

Account and Privilege Enumeration

• net user – listed local accounts
• net localgroup – identified group memberships.

This step provided visibility into existing access and privilege levels, helping the actor identify potential targets for lateral movement.

By combining system and account reconnaissance, the attacker gained a comprehensive understanding of the host environment, enabling effective planning for subsequent attack stages.

Persistence

Crypto24 ransomware actors established persistence through scheduled tasks, malicious services, and privileged account creation, disguising activity within legitimate Windows processes to reduce detection.

Scheduled Tasks

• %ProgramData%\Update\update.vbs – executed at regular intervals
• %ProgramData%\Update\vm.bat – executed at regular intervals
  These tasks ensured periodic execution of malicious payloads to maintain a foothold.

Malicious Services

• Keylogger: sc create WinMainSvc type= share start= auto binPath= "C:\Windows\System32\scvhost.exe -k WinMainSvc"

• Ransomware: sc create MSRuntime type= share start= auto binpath= "C:\Windows\System32\svchost.exe -k MSRuntime" displayname= "Microsoft Runtime Manager"

The attacker leveraged svchost.exe to masquerade as legitimate services, enabling stealth deployment of a keylogger and the Crypto24 ransomware.

Account Creation

Crypto24 ransomware holders created a new user account and added it to Administrators and Remote Desktop Users groups.
This granted elevated privileges and remote access, further strengthening persistence.

Through recurring tasks, disguised services, and privileged accounts, the attacker ensured durable and covert access to compromised systems.

Privilege Escalation

The threat actor escalated privileges using a combination of batch scripts, runas.exe, and PsExec, granting administrative rights and enabling high-level system access.

Administrator Group Modification

These commands added multiple accounts to the Administrators and Remote Desktop Users groups, granting them elevated privileges and remote access capabilities.

Runas Execution

This opened a Command Prompt session with administrator-level privileges under the specified account.

PsExec Execution

PsExec was leveraged to launch a command prompt using privileged user credentials, enabling remote privilege escalation and administrative control.

Through user group modification, impersonation with runas.exe, and remote execution with PsExec, the actor ensured persistent administrative access and expanded control over compromised systems.

Defense Evasion

To maintain access and avoid detection, the actor repeatedly created administrative accounts, initiated RDP sessions, and leveraged custom tools to weaken host defenses. 

A notable component was the deployment of a tool resembling RealBlindingEDR, observed across multiple endpoints, specifically designed to bypass Endpoint Detection and Response (EDR) mechanisms.

Tool Deployment

The following files were identified.

Command-Line Arguments

The tool accepts a single argument to specify driver number and associated function.

• 1 – Loads WdFilter.sys (Windows Defender Filter Driver)
• 2 – Loads MpKslDrv.sys (Microsoft Malware Protection Kernel Service Library Driver)
• 3 – Loads mpsdrv.sys (Microsoft Protection Service Driver)
• 4 – Loads WdNisDrv.sys (Windows Defender Network Inspection Service Driver)

This behavior directly targeted core Microsoft security drivers to impair defense capabilities.

Targeted Vendors

The binary was designed to remove callbacks from drivers associated with major security vendors, including Gen Digital, Kaspersky, Sophos, Trend Micro, Malwarebytes, Bitdefender, McAfee, Fortinet, Sentinel, and others. 

By focusing only on identified vendors, the tool minimized risk of system instability while evading leading endpoint protections.

Code Logic: Retrieving Company Name from Driver Metadata

Code Logic: Comparing Retrieved Company Name

By dynamically querying driver metadata and filtering against a vendor list, the tool selectively disabled protections from well-known security products. 

This allowed the attacker to maintain a persistent presence on compromised hosts while evading endpoint detection and incident response mechanisms.

Lateral Movement: Remote Services

Following initial compromise and account creation, the threat actor expanded their control using PsExec, registry modifications, and firewall rules to enable Remote Desktop Protocol (RDP) access. They also deployed a network scanning utility to identify additional systems in the environment for lateral movement.

PsExec Service Deployment

This binary is installed and executed by PsExec when initiating remote sessions. It allowed the attacker to run commands interactively on the compromised system under the context of privileged credentials. By establishing PsExec service execution, the actor ensured reliable remote administration capabilities and a channel for pushing additional commands or payloads.

Registry Modification to Enable RDP

This command directly modified the registry key fDenyTSConnections, setting its value to 0. By doing so, the attacker explicitly enabled RDP connections on the host, which are normally disabled in hardened environments. This change provided a persistent mechanism for graphical remote access, complementing the use of PsExec.

Firewall Rule Addition

After enabling RDP in the registry, the attacker ensured accessibility by configuring Windows Firewall to allow inbound traffic on TCP port 3389. 

This effectively exposed the host to external RDP sessions, bypassing local network restrictions and strengthening their lateral movement strategy.

Network Scanning Utility

The actor installed Advanced IP Scanner (version 3.9.1) on one endpoint. This tool is widely used to enumerate active devices, open ports, and reachable services within a local network. 

By scanning for additional hosts, the attacker identified new targets for pivoting, expanding their footprint across the environment.

This sequence of actions shows a clear lateral movement strategy.

1. PsExec provided immediate remote command execution.

2. Registry edits and firewall rules enabled persistent RDP access, giving attackers flexibility to return with GUI-based sessions.

3. Network scanning revealed further systems to compromise.

Together, these techniques transformed a single compromised host into a beachhead, allowing the attacker to spread laterally, escalate access to additional systems, and maintain persistence across the victim’s network.

Collection and Credential Access: Input Capture (Keylogging)

Once remote access was secured, the threat actor escalated their operation by installing a keylogger designed to capture user input, including credentials. 

The component, WinMainSvc.dll, was deployed via a batch script and configured to run as a persistent Windows service. This ensured continuous monitoring of user activity while blending in with legitimate processes.

Deployment via Batch Script

The script facilitated execution of commands required to install and register the malicious DLL as a service. This approach simplified installation and avoided manual operator interaction.

Service Creation for Persistence

This command registered the keylogger (WinMainSvc.dll) as a Windows service named WinMainSvc, configured to automatically start with the system. By running under svchost.exe, the service was disguised as a legitimate background process, making detection significantly more difficult.

Through scheduled execution and service persistence, the keylogger continuously intercepted keystrokes, providing the attacker with sensitive information such as usernames, passwords, and potentially confidential data entered on the compromised host. This capability not only facilitated credential theft but also supported further lateral movement and long-term espionage objectives.

Keylogger (WinMainSvc.dll): Technical Deep Dive

Execution Checks and Evasion Logic

The DLL verifies that it is running as a service by checking whether the command line contains C:\Windows\system32\svchost.exe. 

This evasion ensures the malware executes only in real-world scenarios where it masquerades as a legitimate Windows service.

Keylogging Functionality

The malware intercepts keyboard inputs and records control keys. Examples of mapped key codes include delete, backspace, control, tab, and escape, indicating explicit keystroke logging.

This mapping highlights its ability to log both special keys and regular character inputs for later exfiltration.

Exfiltration via Google Drive API

Captured keystrokes were uploaded to Google Drive using a custom function that leveraged the WinINet API. 

The pseudocode demonstrates how the malware establishes a connection to Google’s API, authenticates with an access token, and uploads collected data.

The malware first created a test file (test.txt) with the string “Test” to validate connectivity and upload functionality before exfiltrating keystrokes.

Persistence and Remote Access Reinforcement

To ensure reliable remote access and continued keylogging, the actor relied on Windows Management Instrumentation (WMI), firewall modifications, and later, direct DLL patching:

EDR Removal and Payload Execution

These actions disabled backups and security tools, enabling successful ransomware encryption and ransom note creation.

Through WinMainSvc.dll, the attacker combined input capture, stealthy service execution, cloud-based exfiltration, and repeated RDP reinforcement with additional remote access tools. The eventual use of MSRuntime.dll as ransomware shows how initial keylogging evolved into full-scale compromise, data theft, and destructive impact.

Crypto24 Ransomware Analysis

Our analysis of the Crypto24 ransomware reveals a hardened binary protected with VMProtect virtualization, designed to obstruct static analysis and reverse engineering. By leveraging dynamic analysis and memory dumping, we were able to bypass these protections and extract the unpacked payload, providing visibility into its full functionality.

API Hashing and Obfuscation

Crypto24 implements API hashing to dynamically resolve NTDLL functions, concealing sensitive API calls from static inspection and signature-based detection. Instead of referencing APIs directly, the binary computes hashes to retrieve them at runtime.

This technique complicates static analysis and allows Crypto24 to evade traditional detection by hiding critical API usage.

Privilege Escalation

Crypto24 exploits the CMSTPLUA COM interface ({3E5FC7F9-9A51-4367-9063-A120244FBEC7}) to bypass User Account Control (UAC), a method also observed in advanced ransomware families like BlackCat and LockBit. 

This allows execution with elevated privileges without triggering UAC prompts.

A secondary method involves execution with runas for administrative privileges:

Persistence via Service Installation

The ransomware establishes persistence by installing itself as a Windows service named MSRuntime. 

It uses a templated batch script where SVC_NAME is dynamically replaced.

Despite VMProtect obfuscation, memory analysis confirmed replacement of placeholders with MSRuntime, verifying this persistence mechanism.

Execution Context Validation

To ensure correct execution, the ransomware verifies that it is launched under svchost.exe.

This ensures the malware operates as a Windows service, avoiding anomalies that may expose it during analysis.

Anti-Forensics and Logging

Crypto24 logs activity to C:\Windows\System32\erls.txt, likely for debugging or operational tracking.

It also excludes specific files and binaries related to its own operation from encryption, such as:

• adm.exe
• msruntime.dll
• rms.bat
• runtimes.exe

Targeted Files and Directories

The ransomware focuses on user and enterprise-critical paths, including:

• \AppData\Local\, \AppData\Roaming\
• C:\Program Files\ (Google, Dropbox, VMware, etc.)
• C:\ProgramData\ (Microsoft OneDrive, AhnLab, Trend Micro)
• User directories (C:\Users, C:\Users\Public)

This broad targeting indicates an intent to maximize impact across business environments while excluding its own runtime files.

Registry Usage

Crypto24 maintains state information in the registry under:

Example values:

• D_cnt → counter value (0x30)
• D_th0–D_th11 → directory paths used during encryption

Process Termination

Crypto24 attempts to terminate processes linked to cloud storage and sync services that could interfere with encryption:

• chromeremotedesktop.exe
• dropbox.exe
• googledrivefs.exe
• onedrive.exe

File Encryption

The ransomware appends the .crypto24 extension to encrypted files:

Ransom Note Deployment

The ransomware drops Decryption.txt with double-extortion threats, data is both encrypted and threatened with public release if ransom is not paid.

Self-Deletion and Cleanup

After execution, the ransomware triggers batch scripts to remove services, artifacts, and itself:

These routines eliminate forensic evidence and reduce chances of detection post-encryption.

Targeting Profile

Crypto24 primarily targets large corporations and enterprise organizations across Asia, Europe, and the USA, with a focus on:

• Financial services
• Manufacturing
• Entertainment
• Technology sectors

Its use of VMProtect, UAC bypasses, service persistence, selective targeting, and double extortion demonstrate a highly sophisticated ransomware family focused on financially and operationally critical victims.

How Picus Helps Defend Against Crypto24 Ransomware Attacks?

The Picus Security Validation Platform safely simulates Crypto24 Ransomware’s techniques using its continuously updated Threat Library, identifying blind spots across EDRs, NGFWs, and SIEMs before attackers can exploit them. 

You can also test your defenses against hundreds of other ransomware variants, such as Interlock, Akira, Anubis ransomware campaigns within minutes with a 14-day free trial of the Picus Platform.