Researchers have identified a fresh Crypto24 ransomware operation, warning it represents a dangerous step forward in the evolving threat environment. 

Trend Micro researchers have found that recent Crypto24 campaigns combine advanced evasion with custom-built tools to disable endpoint defenses, even breaching Vision One. Spotted initially in 2024, the group remained low-profile until recently becoming the newest ransomware gang to circumvent EDR protections. 

Trend Micro’s Thursday report reveals that Crypto24 displays a high degree of sophistication, setting it apart from typical ransomware groups. Researchers observed the gang leveraging tools like PSExec and AnyDesk for movement within networks, and Google Drive for exfiltrating stolen data. 

"More importantly, Crypto24's successful deployment of a customized RealBlindingEDR (an open source tool for disabling security solutions) variant that neutralized our security controls shows their capability to maneuver around modern defenses," the report said. "The threat actor's customized version employs advanced evasion, likely via unknown vulnerable drivers, showcasing deep technical expertise and ongoing tool refinement." 

Trend Micro reported that Crypto24 stands out for its rare patience and calculated strategy, with attacks concentrated on major enterprises in Asia, Europe, and the US, particularly in the financial services, manufacturing, entertainment, and tech sectors. 

Ransomware Puts EDR in the Hot Seat  

According to Trend Micro, recent Crypto24 attacks involved remotely uninstalling Trend Vision One from network shares using a customized RealBlindingEDR tool and the legitimate gpscript.exe utility. 

The report highlighted that Crypto24 actors leveraged XBCUninstaller.exe, a legitimate Trend Vision One tool designed for troubleshooting agent inconsistencies. Researchers clarified that the attackers could only deploy it after obtaining elevated privileges via prior malicious actions. 

According to the report, organizations that enforce strong access controls and least privilege policies can defend against Crypto24. However, the attacks highlight a broader concern — threat actors are carefully analyzing EDR solutions to identify exploitable flaws. 

Uncertainty surrounds which vulnerable drivers were abused in Crypto24’s tailored RealBlindingEDR, meaning defenders cannot yet determine which malicious drivers to block. 

Mitigating the Crypto24 Threat 

According to Trend Micro, Crypto24 is now targeting large enterprises in big game hunting campaigns, and organizations are being advised to reinforce security measures. 

"Crypto24 has been targeting high-profile entities within large corporations and enterprise-level organizations," the report said. "The scale and sophistication of recent attacks indicate a deliberate focus on organizations possessing substantial operational and financial assets." 

Trend Micro advised organizations to not only enforce strict access controls and least privilege policies across networks, but also implement anti-tampering protections to stop Crypto24 actors from disabling or uninstalling security tools.