Crypto24 ransomware hits large orgs with custom EDR evasion tool
What’s new: The Crypto24 ransomware group has developed custom tools to evade endpoint detection and response (EDR) solutions, targeting large organizations in the finance, manufacturing, entertainment, and tech sectors across the U.S., Europe, and Asia. Their tactics include activating default administrative accounts, creating malicious services for persistence, and using a modified version of the open-source tool RealBlindingEDR to disable security agents from various vendors.
Who’s affected
Large organizations in multiple sectors, including finance, manufacturing, entertainment, and technology, have been targeted by the Crypto24 ransomware group.
What to do
- Review and enhance endpoint security measures to detect and block the custom EDR evasion techniques used by Crypto24.
- Monitor for indicators of compromise (IOCs) associated with Crypto24 attacks, as provided by Trend Micro.
- Ensure that administrative privileges are tightly controlled and monitored to prevent unauthorized access and actions.
- Regularly back up data and ensure that backup systems are not accessible from the main network to mitigate the impact of ransomware.
