Crypto24 Ransomware Bypasses EDR Defenses in Global Attacks

A sophisticated new ransomware operation dubbed Crypto24 has emerged as a significant global threat, specifically targeting enterprise networks with tools designed to bypass modern endpoint security solutions. Cybersecurity researchers have observed the group employing advanced techniques to evade Endpoint Detection and Response (EDR) systems, making detection particularly challenging for security teams.

The Crypto24 operation stands out for its use of Bring Your Own Vulnerable Driver (BYOVD) techniques - a growing trend among advanced threat actors. This approach involves exploiting vulnerable but legitimate drivers to gain kernel-level access, allowing attackers to disable or circumvent security products before deploying ransomware payloads.

Technical analysis reveals that Crypto24 operators first gain initial access through compromised RDP credentials or phishing campaigns. Once inside a network, they perform extensive reconnaissance to identify high-value targets before moving laterally. The ransomware payload is typically deployed after attackers have disabled security solutions using their kernel-level access.

Industry Impact:
The ransomware has shown particular interest in multinational corporations across three key sectors:

Defensive Recommendations:
Security teams should consider implementing the following measures:

The emergence of Crypto24 highlights the evolving sophistication of ransomware operations and underscores the need for defense-in-depth strategies that go beyond traditional EDR solutions.