Listen to this Post
The Crypto24 group is a cybercriminal organization that carries out ransomware attacks, encrypting victimsā data and demanding ransom payments. Below is a detailed breakdown of their operations and how to defend against them.
Activities
Crypto24 is known for:
- Encrypting victimsā data and demanding ransom payments.
- Threatening to leak stolen data if the ransom is unpaid.
- Recent attacks include breaches at CMC Corporation (April 12, 2025, compromising ~2 TB of data) and Taxplan (April 8, 2025).
Attack Methods
- File Encryption: Appends `.crypto24` to locked files (e.g., `1.jpg` ā
1.jpg.crypto24). - Infection Vectors:
- Phishing emails with malicious attachments.
- Malicious ads (malvertising).
- Exploiting unpatched software vulnerabilities.
- Ransom Notes: Leaves `Decryption.txt` with contact details (e.g.,
[email protected]).
Characteristics
- Operates as Ransomware-as-a-Service (RaaS), allowing low-skilled hackers to deploy attacks.
- Threatens to publish stolen data on dark web leak sites.
- No free decryption tools availableārecovery without attackersā key is nearly impossible.
Impact
Victims span technology, finance, and business services. Even “small-scale” attacks (like CMCās) can disrupt operations by compromising sensitive data (tokens, websites).
You Should Know: How to Detect and Mitigate Crypto24 Attacks
1. Detect Ransomware Activity
- Linux Command to check for suspicious file extensions:
find / -type f -name ".crypto24" 2>/dev/null
- Windows PowerShell to monitor unusual file changes:
Get-ChildItem -Path C:\ -Recurse -Force -ErrorAction SilentlyContinue | Where-Object { $_.Extension -eq ".crypto24" }
2. Isolate Infected Systems
- Linux: Disconnect from network immediately:
ifconfig eth0 down
- Windows: Disable network adapters via CMD:
netsh interface set interface "Ethernet" admin=disable
3. Check for Ransom Notes
- Search for
Decryption.txt:locate Decryption.txt
Or in Windows:
dir /s C:\Decryption.txt
4. Prevent Further Spread
- Block Known IoCs (Indicators of Compromise):
iptables -A INPUT -s 185.165.29.0/24 -j DROP Example Crypto24 C2 IP range
- Windows Firewall Rule:
New-NetFirewallRule -DisplayName "Block Crypto24 C2" -Direction Outbound -Action Block -RemoteAddress 185.165.29.0/24
5. Restore from Backups
- Linux (rsync backup restore):
rsync -avz /backup/ /original_data/
- Windows (Shadow Copy restore):
vssadmin list shadows vssadmin restore shadow /shadow={ID}
6. Report the Attack
- Submit samples to VirusTotal:
curl --request POST --url 'https://www.virustotal.com/vtapi/v2/file/scan' --form 'apikey=YOUR_API_KEY' --form 'file=@malicious_file'
What Undercode Say
Crypto24 exemplifies the growing threat of Ransomware-as-a-Service (RaaS), lowering the entry barrier for cybercriminals. Key takeaways:
– Never pay the ransomāfunding attackers fuels more attacks.
– Air-gapped backups are critical for recovery.
– Patch management reduces exploit risksāuse:
sudo apt update && sudo apt upgrade -y Linux
Or Windows:
Install-Module PSWindowsUpdate -Force Install-WindowsUpdate -AcceptAll -AutoReboot
– Network segmentation limits lateral movement.
Expected Output:
A hardened system with:
- Real-time file integrity monitoring (FIM):
auditctl -w /etc/ -p wa -k critical_files
- Automated backups:
tar -czvf /backup/$(date +%Y%m%d).tar.gz /critical_data
- Blocked malicious IPs via firewall rules.
Stay vigilantāransomware evolves, but proactive defense minimizes damage.
References:
Reported By: Phuong Nguyen – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ā
