#Crypto24

Claudio

@sonoclaudio.ransomnews.online

5 months ago

🆕 🇮🇹 via, @ransomnews.online | ransomnews.online
🏴‍☠️ Gruppo: #crypto24 | Rivendicazione attacco informatico
🗒️ 8° attacco catalogato nel mese di Settembre
⚠️ 131° attacco #Ransomware catalogato nel 2025

ransomNews

@ransomnews.online

5 months ago

🚨 nuova rivendicazione #ransomware Italia 🚨

🏴‍☠️ gruppo #Crypto24
🧬 Generali Assicurazioni Group | Mogliano Veneto (TV)
🎯 settore: assicurazioni
🔗 generali.com
🗓️ 18 settembre 2025

📄 sample: -
▪️ dati esfiltrati dichiarati: -
▪️ dati esfiltrati pubblicati: -
⏲️ scadenza: 27 settembre 2025

#ransomNews

CySecurity News

@cysecuritynews.bsky.social

6 months ago

Crypto24 ransomware uses custom “EDR-blinding” tool to hit high-value targets A threat group tracked as Crypto24 is attacking large organizations across the U.S., Europe, and Asia, aiming at finance, manufacturing, entertainment, and technology firms. First discussed publicly on security forums in September 2024, the group has since shown mature tradecraft, according to researchers monitoring its campaigns. How they gain and keep access After breaking in, the attackers enable built-in administrator accounts on Windows machines or create new local admins to keep a quiet foothold. They run a scripted recon phase that lists user accounts, profiles hardware, and maps disks. For persistence, they add malicious Windows services and scheduled tasks, most notably: WinMainSvc: a keylogger that pretends to be “Microsoft Help Manager,” recording active window titles and keystrokes (including Ctrl/Alt/Shift and function keys). MSRuntime: a loader that later launches the file-encrypting payload. How they bypass security tools Crypto24 deploys a customized version of the open-source RealBlindingEDR utility to neutralize endpoint detection and response (EDR) products. The tool reads a driver’s metadata to extract the vendor name, compares it to a built-in list, and, on a match, tampers with kernel callbacks/hooks to “blind” detections. Vendors targeted include Trend Micro, Kaspersky, Sophos, SentinelOne, Malwarebytes, Cynet, McAfee, Bitdefender, Broadcom (Symantec), Cisco, Fortinet, and Acronis. On systems running Trend Micro, the operators have been seen, once they have admin rights — launching the legitimate XBCUninstaller.exe (Trend Vision One’s uninstaller) via gpscript.exe (a Group Policy script runner). The tool is intended for support tasks like cleaning inconsistent agents, but here it’s repurposed to remove protections so follow-on payloads can run undetected. How they move and what they steal For lateral movement, the intruders rely on SMB shares to copy tools and spread across the network. Before encryption, they exfiltrate data to Google Drive, using a custom program that calls the Windows WinINET API to talk to the cloud service. This gives them an off-network stash of sensitive files for double-extortion. What remains unknown Researchers have not yet published details about the final ransomware stage, such as the encryption method, ransom note, payment channel, or any language/branding clues. However, they have released indicators of compromise (IOCs) to help defenders detect and block the intrusions earlier in the kill chain. Why it matters Crypto24 blends custom malware with “living-off-the-land” techniques and legitimate admin tools, making alerts easier to miss. Organizations should harden admin account policies, monitor for suspicious driver tampering and service creation, restrict outbound cloud traffic where possible, and use the published IOCs to hunt proactively.

Crypto24 ransomware uses custom “EDR-blinding” tool to hit high-value targets #Crypto24 #EDR #GoogleDrive

HackNotice

@hacknotice.bsky.social

6 months ago

From electronics to healthcare and legal sectors, ransomware actors are hitting critical infrastructure with global reach and precision.
#CyberSecurity #DataBreach #Ransomware #HackNotice #Akira #Pear #WorldLeaks #RansomHouse #Crypto24 #Maxell #MPOWERHealth #Palmgold #BobcatCentral #HomseyLawCenter

ransomNews

@ransomnews.online

6 months ago

🥷🏻 Crypto24 toolkit revealed

A Trend Micro report reveals #Crypto24, a sophisticated ransomware operation that blends legitimate admin tools with custom malware to infiltrate, persist, steal via Google Drive, disable EDRs, and deploy ransomware during off-hours.

#ransomNews #Ransomware

piggo

@pigondrugs.bsky.social

7 months ago

~Trendmicro~
Crypto24 ransomware blends legitimate tools with custom malware to bypass EDR and exfiltrate data before encryption.
-
IOCs: WinMainSvc. dll, MSRuntime. dll, AVB. exe
-
#Crypto24 #LOLBins #Ransomware #ThreatIntel

@matricedigitale.bsky.social

7 months ago

Crypto24 ransomware sfrutta strumenti legittimi e malware personalizzati per colpire PMI con attacchi stealth e doppia estorsione.

#Crypto24 #doppiaestorsione #Makop #Ransomware #TrendMicro
www.matricedigitale.it/2025/08/14/c...

@imadean22.bsky.social

7 months ago

Crypto24 Ransomware Details

exchange.xforce.ibmcloud.com/threats/guid...

#crypto24 #Ransomware

ransomNews

@ransomnews.online

7 months ago

🚨 UPDATE rivendicazione #ransomware Italia 🚨

🏴‍☠️ gruppo #Crypto24
🧬 Larimart SPA (Gruppo Leonardo) | Roma
🎯 settore: difesa
🔗 larimart.it
🗓️ 16 luglio 2025

📄 sample: sì
▪️ dati esfiltrati dichiarati: 2.00TB
▪️ dati esfiltrati pubblicati: -
⏲️ scadenza: -

#ransomNews #security #infosec

Claudio

@sonoclaudio.ransomnews.online

8 months ago

🆕 🇮🇹 via, @ransomnews.online
🏴‍☠️ Gruppo: #crypto24 | Rivendicazione attacco informatico
🗒️ 7° attacco catalogato nel mese di Luglio
⚠️ 92° attacco #Ransomware catalogato nel 2025

Nota personale: aspettiamo .... 🐢

ransomNews

@ransomnews.online

8 months ago

🚨 nuova rivendicazione #ransomware Italia 🚨

🏴‍☠️ gruppo #Crypto24
🧬 Lar ***
🎯 settore: -
🔗 lar ***.it
🗓️ 10 luglio 2025

📄 sample: -
▪️ dati esfiltrati dichiarati: -
▪️ dati esfiltrati pubblicati: -
⏲️ scadenza: 16 luglio 2025

#ransomNews #security #infosec

HookPhish

@hookphish.bsky.social

9 months ago

Ransomware Group crypto24 Hits: Elite Advanced Laser Corporation ( Elaser ) Learn about the Ransomware Group crypto24 Hits: Elite Advanced Laser Corporation ( Elaser ). Discover compromised information and organizational measures.

Ransomware Group crypto24 Hits: Elite Advanced Laser Corporation ( Elaser ) www.hookphish.com/blog/ransomw... #crypto24 #cyberattack #databreach #eliteadvancedlasercorporationelaser #ransomware

HookPhish

@hookphish.bsky.social

10 months ago

Ransomware Group crypto24 Hits: N8XT Learn about the Ransomware Group crypto24 Hits: N8XT. Discover compromised information and organizational measures.

Ransomware Group crypto24 Hits: N8XT www.hookphish.com/blog/ransomw... #crypto24 #cyberattack #databreach #n8xt #ransomware

HookPhish

@hookphish.bsky.social

11 months ago

Ransomware Group crypto24 Hits: ModulusGroup,Ludi-SFM Learn about the Ransomware Group crypto24 Hits: ModulusGroup,Ludi-SFM. Discover compromised information and organizational measures.

Ransomware Group crypto24 Hits: ModulusGroup,Ludi-SFM www.hookphish.com/blog/ransomw... #crypto24 #cyberattack #cybersecurity #databreach #hookphish #modulusgroupludisfm #ransomware

Chum1ng0 - Security Research

@chum1ng0.bsky.social

11 months ago

Colombia: Ransomware crypto24 publica en la DarkWeb al servicio financiero iris Neofinanciera Ciberseguridad-Noticias- Latinoamérica: Ransomware crypto24 publica en la DarkWeb al servicio financiero iris Neofinanciera

#Noticias: Ransomware crypto24 publica en la DarkWeb al servicio financiero iris Neofinanciera.

🔗 www.security-chu.com/2025/04/Iris...

#ciberseguridad #Colombia #Servicio #financiero #ciberataque #ransomware #crypto24