New Crypto24 Ransomware Attacks Bypass EDR - Dark Reading

CYBERSECURITY OPERATIONS CYBERATTACKS & DATA BREACHES ENDPOINT SECURITY THREAT INTELLIGENCE NEWS New Crypto24 Ransomware Attacks Bypass EDR While several cybercrime groups have embraced "EDR killers," researchers say the deep knowledge and technical skills demonstrated by Crypto24 signify a dangerous escalation. Rob Wright,Senior News Director,Dark Reading August 15, 2025 4 Min Read SOURCE: MAURICE NORBERT VIA ALAMY STOCK PHOTO UPDATE Researchers spotted a new Crypto24 ransomware campaign that they say marks a "dangerous evolution" in the threat landscape. According to Trend Micro researchers, recent attacks by Crypto24 actors display a combination of advanced evasion techniques and custom tools that can disable EDR solutions — including Trend Micro's own Vision One platform. Crypto24 was first spotted in 2024 but hadn't made much of impact until recently, when it became the latest ransomware gang to bypass EDR platforms and security solutions. Trend Micro's report, published Thursday, details how Crypto24 has demonstrated a high level of skill that sets it apart from other ransomware gangs. For example, researchers noted how Crypto24 actors deftly deploy a broad range of tools that include legitimate programs like PSExec and AnyDesk for remote access and lateral movement, as well as Google Drive for data exfiltration. Related:Clear Communication: The Missing Link in Cybersecurity Success "More importantly, Crypto24's successful deployment of a customized RealBlindingEDR (an open source tool for disabling security solutions) variant that neutralized our security controls shows their capability to maneuver around modern defenses," the report said. "The threat actor's customized version employs advanced evasion, likely via unknown vulnerable drivers, showcasing deep technical expertise and ongoing tool refinement." Trend Micro researchers said Crypto24 actors' demonstrated "uncommon" strategic planning and patience in these attacks, which have been primarily focused on large enterprises in Asia, Europe, and the US in the financial services, manufacturing, entertainment, and tech industries. EDR Platforms in the Crosshairs Trend Micro researchers observed recent attacks when Crypto24 actors remotely uninstalled Trend Vision One from a network share using the custom version of RealBlindingEDR and a legitimate group policy utility called gpscript.exe. The report noted that the attackers use a Trend Vision One uninstaller, XBCUninstaller.exe, which is a legitimate tool provided by the cybersecurity vendor to help customers address issues such as fixing inconsistent agents across deployments. Trend Micro researchers said the attackers were only able to use the uninstaller, which requires administrator privileges, after gaining elevated privileges through previous malicious activity on compromised systems. "What we observed represents a classic example of 'living off the land' tactics, where threat actors leverage legitimate administrative tools to further their attacks in post-compromise scenarios," the researchers wrote. "In this case, they used our own maintenance tool to disable endpoint protection before moving laterally to other devices." Related:Why Stryker's Outage Is a Disaster Recovery Wake-Up Call The report emphasized that "properly configured" systems with strong access controls and principle of least privilege will prevent the Crypto24 attacks. But the latest example of the ongoing assault against EDR technology is concerning because it's clear that threat actors have studied and analyzed these products and found weaknesses to exploit. "The attackers demonstrate a clear understanding of enterprise defense stacks and an ability to circumvent them," the researchers wrote. Additionally, it's unclear what vulnerable drivers that Crypto24 operators have weaponized for their customized version of RealBlindingEDR, so organizations can't determine which malicious drivers should be added to blocklists. "At this stage, we cannot confirm the exact drivers," says Stephen Hilt, senior threat researcher at Trend Micro. "I would assume it is likely using a bring your own vulnerable driver (BYVOD) tactic, which involves loading legitimate but flawed drivers to disable security tools. Similar techniques in past cases have abused well-known drivers like Martini.sys or mhyprot2.sys." Related:White House Cyber Strategy Prioritizes Offense And Trend Micro isn't the only vendor affected by these attacks. The report noted that the RealBlindingEDR version removes callbacks for security products from nearly 30 vendors, including Cisco, Kaspersky Lab, MalwareBytes, Sophos, and Trellix. Defending Against Crypto24 Trend Micro warned that Crypto24 is going big game hunting and urged enterprises to shore up defenses. "Crypto24 has been targeting high-profile entities within large corporations and enterprise-level organizations," the report said. "The scale and sophistication of recent attacks indicate a deliberate focus on organizations possessing substantial operational and financial assets." In addition to implementing strong access controls and applying the principle of least privilege across the network, Trend Micro urged customers to apply anti-tampering countermeasures to prevent Crypto24 actors from disabling and removing security products. "Enabling agent self-protection on Windows prevents local users from tampering or removing Trend's agent," the researchers said. "Furthermore, activating Trend's Self-Protection feature ensures that local users cannot tamper with or uninstall any Trend products, preserving endpoint integrity and safeguarding critical security controls." Trend Micro also recommended organizations take additional steps such as regularly auditing privileged accounts; limiting remote desktop protocol and remote tool usage to authorized systems only; and regularly inspect scheduled tasks and service creations for signs of malicious activity.   This story was updated at 10:30 a.m. ET on August 18 to reflect comments from Trend Micro. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE