A high-profile enterprise in the finance, manufacturing, entertainment, or tech sector (exact industry undisclosed) was compromised by the Crypto24 Ransomware Group in a highly coordinated attack. The adversaries exploited privileged account creation, scheduled tasks, and custom EDR bypass tools to evade detection while maintaining persistence. Initial access was followed by lateral movement via PSExec, credential theft using keyloggers (WinMainSvc.dll), and data exfiltration via Google Drive. The attack chain included reactivating default accounts, deploying malicious services, and patching DLLs (e.g., termsrv.dll) to enable multiple RDP sessions. The payload execution involved disabling security solutions (e.g., Trend Vision One) via gpscript.exe abuse, followed by file encryption and data theft. The attack was timed during off-peak hours to maximize damage while minimizing visibility. Critical operational disruptions occurred, including potential outages, financial data compromise, and reputational harm due to public exposure. The group’s focus on large organizations with significant financial assets suggests severe operational and financial repercussions, including possible regulatory penalties, customer fraud, and loss of trust. Mitigation required emergency incident response, backup restoration, and forensic analysis to contain the breach and prevent further lateral movement.
Source: https://socprime.com/blog/crypto24-ransomware-detection/
TPRM report: https://www.rankiteo.com/company/abbyy
"id": "abb806090225",
"linkid": "abbyy",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': ['finance',
'manufacturing',
'entertainment',
'technology'],
'location': ['United States', 'Europe', 'Asia'],
'size': 'large',
'type': ['enterprise', 'corporate entity']}],
'attack_vector': ['phishing (suspected initial access)',
'exploitation of legitimate tools (PSExec, AnyDesk, '
'TightVNC)',
'abuse of Windows utilities (net.exe, sc.exe, runas.exe)',
'custom EDR bypass utilities (RealBlindingEDR variants)',
'scheduled tasks for persistence',
'keyloggers (WinMainSvc.dll)',
'Google Drive for data exfiltration',
'patched DLLs (e.g., termsrv.dll for RDP session hijacking)',
'living-off-the-land binaries (LOLBins)'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': 'likely (via '
'credential theft)',
'sensitivity_of_data': 'high (financial, operational, PII '
'likely)',
'type_of_data_compromised': ['credentials (via keyloggers)',
'system/hardware/account data '
'(via WMIC/batch files)',
'corporate files (exfiltrated '
'via Google Drive)']},
'date_detected': '2024-09-01',
'date_publicly_disclosed': '2025-01-01',
'description': 'The Crypto24 ransomware group emerged in early fall 2024, '
'targeting large organizations across the United States, '
'Europe, and Asia. The group employs custom tools to bypass '
'security defenses, steal data, and encrypt files on '
'compromised networks. Their operations include privileged '
'account creation, scheduled tasks for persistence, and the '
'use of legitimate tools (e.g., PSExec, AnyDesk, keyloggers, '
'Google Drive) for lateral movement, data exfiltration, and '
'remote access. The group leverages advanced evasion '
'techniques, such as weaponizing RealBlindingEDR variants and '
'abusing Trend Vision One uninstallers to disable protections '
'before deploying ransomware. Attacks are highly coordinated, '
'often timed for off-peak hours to maximize damage, with a '
'focus on finance, manufacturing, entertainment, and tech '
'sectors.',
'impact': {'brand_reputation_impact': 'high (targeting high-profile '
'enterprises)',
'data_compromised': True,
'downtime': True,
'identity_theft_risk': 'high (credential theft via keyloggers)',
'operational_impact': 'high (disruption of business operations, '
'especially in finance/manufacturing)',
'payment_information_risk': 'likely (finance sector targeted)',
'systems_affected': True},
'initial_access_broker': {'backdoors_established': ['TightVNC',
'custom services',
'scheduled tasks'],
'data_sold_on_dark_web': 'likely (stolen '
'credentials/corporate '
'data)',
'entry_point': ['phishing (suspected)',
'exploited remote services'],
'high_value_targets': ['finance systems',
'manufacturing controls',
'executive workstations'],
'reconnaissance_period': 'extensive (WMIC/batch '
'file enumeration)'},
'investigation_status': 'ongoing (as of 2025)',
'lessons_learned': ['Modern ransomware groups blend legitimate tools with '
'custom malware for evasion.',
'Off-peak attack timing reduces detection likelihood.',
'Abuse of IT admin tools (e.g., PSExec, AnyDesk) is a '
'persistent risk.',
'EDR bypass techniques (e.g., RealBlindingEDR) require '
'behavioral monitoring.',
'Default accounts and unmonitored scheduled tasks are '
'common persistence vectors.'],
'motivation': ['financial gain (ransom demands)',
'data theft for extortion/sale on dark web',
'disruption of high-value targets'],
'post_incident_analysis': {'corrective_actions': ['Deploy behavioral-based '
'EDR/XDR solutions.',
'Implement network '
'segmentation for '
'high-value assets.',
'Conduct regular red team '
'exercises to test defenses '
'against LOLBin abuse.',
'Enforce strict software '
'allowlisting for admin '
'tools.',
'Integrate threat '
'intelligence feeds (e.g., '
'SOC Prime) for early '
'detection.'],
'root_causes': ['Insufficient monitoring of '
'Windows utilities/LOLBins.',
'Lack of MFA on remote access '
'tools.',
'Overprivileged default/local '
'accounts.',
'Unrestricted data exfiltration '
'channels (e.g., Google Drive).',
'Delayed detection due to off-peak '
'attack timing.']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Crypto24'},
'recommendations': ['Implement Zero Trust architecture with strict '
'least-privilege access.',
'Enable MFA for all remote access (RDP, VPN, admin '
'tools).',
'Monitor for abuse of LOLBins (e.g., net.exe, sc.exe, '
'gpscript.exe).',
'Audit scheduled tasks, services, and new privileged '
'accounts.',
'Restrict Google Drive/Dropbox usage to authorized '
'corporate instances.',
'Deploy AI-driven threat detection (e.g., SOC Prime, '
'Uncoder AI).',
'Train employees on phishing/credential theft risks.',
'Isolate backups and test restoration procedures.',
'Patch/remove vulnerable DLLs (e.g., termsrv.dll).',
'Block unauthorized remote control tools (AnyDesk, '
'TightVNC).'],
'references': [{'date_accessed': '2025-01-01',
'source': 'Verizon Data Breach Investigations Report (DBIR) '
'2025'},
{'source': 'Trend Micro Research on Crypto24 Ransomware'},
{'source': 'SOC Prime Detection Rules for Crypto24',
'url': 'https://socprime.com/'},
{'source': 'Cybersecurity Ventures Ransomware Report'}],
'response': {'containment_measures': ['restrict RDP/remote tools to '
'authorized systems with MFA',
'monitor for abnormal use of Windows '
'utilities/new services/scheduled tasks',
'audit backups for integrity'],
'enhanced_monitoring': ['AI-powered detection engineering (SOC '
'Prime)',
'threat hunting for Crypto24 IoCs',
'monitor for data exfiltration (e.g., '
'Google Drive abuse)'],
'network_segmentation': 'recommended',
'recovery_measures': ['restore from isolated backups',
'patch abused DLLs (e.g., termsrv.dll)',
'remove keyloggers/backdoors (e.g., '
'WinMainSvc.dll)'],
'remediation_measures': ['strengthen account/access controls',
'enforce Zero Trust principles',
'disable default accounts',
'remove unauthorized privileged users'],
'third_party_assistance': ['SOC Prime (detection rules)',
'Trend Micro (analysis)']},
'threat_actor': 'Crypto24 Ransomware Group',
'title': 'Crypto24 Ransomware Group Campaign (2024–2025)',
'type': ['ransomware', 'data breach', 'credential theft', 'lateral movement'],
'vulnerability_exploited': ['abuse of elevated privileges post-compromise '
'(e.g., Trend Vision One uninstaller)',
'weak account/access controls (reactivation of '
'default accounts, new privileged users)',
'unrestricted RDP/remote tool access',
'lack of MFA on critical systems']}