Inside Crypto24: Custom EDR-Blinding and Google Drive Exfiltration in Recent Ransomware Intrusions

Inside Crypto24: Custom EDR-Blinding and Google Drive Exfiltration in Recent Ransomware Intrusions

Ransomware crews continue to professionalize. The latest example, Crypto24, blends custom endpoint-defense blinding, stealthy persistence, and public-cloud exfiltration to quietly prepare environments for high-impact encryption events. This post breaks down what’s known and translates it into concrete detection and response guidance for blue teams.

Background

On August 14, 2025 reported on Crypto24 operations tracked by Trend Micro, noting intrusions against large organizations across the United States, Europe, and Asia in sectors including finance, manufacturing, entertainment, and technology. The reporting highlights a post-compromise playbook that activates or creates administrative accounts, establishes multiple persistence mechanisms, evades endpoint detection and response (EDR), moves laterally via SMB, exfiltrates data to Google Drive, and finally deletes shadow copies before encryption.

Technical Analysis

Initial foothold and staging. After gaining access (vector undisclosed), operators enable default administrative accounts or create new local admins to ensure durable control. Reconnaissance is performed via batch scripts that enumerate users, hardware, and disk layout.

Persistence and tooling. Two notable Windows services are installed: WinMainSvc (a keylogger masquerading as “Microsoft Help Manager”) and MSRuntime (a ransomware loader). Staged payloads are deployed and scheduled tasks are configured for reliability.

EDR evasion with custom RealBlindingEDR. A modified variant of the open-source RealBlindingEDR is used to identify security vendors from driver metadata and disable kernel-level callbacks, effectively “blinding” agents from multiple vendors (reports list targets including Trend Micro, Kaspersky, Sophos, SentinelOne, Malwarebytes, Cynet, McAfee, Bitdefender, Broadcom/Symantec, Cisco, Fortinet, and Acronis). In some cases, the actors execute Trend Micro’s legitimate XBCUninstaller.exe—observed launched via gpscript.exe—to remove Trend Vision One components before staging follow-on payloads.

Data theft and encryption. Exfiltration uses a custom tool leveraging the WinINET API to push data to Google Drive. Prior to detonation, the operators delete volume shadow copies to hinder recovery, then execute the ransomware payload.

End-to-end flow (high level).

[Initial Access]
[Privilege Establishment] - enable default admin / create local admin
[Recon] - batch enumeration (accounts, hardware, disks)
[Persistence] - Service: WinMainSvc (keylogger)  - Service: MSRuntime (loader)
[EDR Evasion] - Custom RealBlindingEDR disables kernel callbacks  - Optional uninstall via XBCUninstaller.exe (via gpscript.exe)
[Lateral Movement]  - SMB shares
[Exfiltration]  - Google Drive via WinINET
[Impact]  - Delete VSS  - Encrypt\n

Impact & Implications

Crypto24’s approach undermines the core visibility assumptions many enterprises place on EDR. By targeting kernel driver callbacks and opportunistically uninstalling agents, defenders may experience blind spots precisely during staging and lateral movement. Because the tooling is vendor-agnostic and relies on legitimate binaries where possible, organizations across multiple sectors and EDR ecosystems are potentially exposed. Public-cloud exfiltration via Google Drive blends in with common business workflows, complicating egress-based detections.

Defensive Recommendations

Hardening & prevention

  • Enable and enforce EDR tamper protection and ensure agents require strong credentials or hardware-backed controls for uninstallation or driver changes.
  • Restrict execution of administrative tools (e.g., gpscript.exe, vendor uninstallers like XBCUninstaller.exe) via AppLocker/WDAC; allow only signed and explicitly approved paths and hashes.
  • Kernel driver protections: block or alert on unsigned/unknown drivers and changes to callback registrations; require admin + code integrity for driver loads.
  • Service creation controls: limit who can install services; monitor for suspicious names such as WinMainSvc and MSRuntime.
  • Cloud egress governance: brokered access to Google Drive; enforce CASB/DLP and OAuth app controls; alert on anomalous uploads at scale.

Detection ideas (Windows Security + Sysmon)

  • Service installation: Windows Security 4697 and System 7045 where ServiceName in ("WinMainSvc","MSRuntime") or unusual binary paths.
  • Process creation: Event 4688 / Sysmon 1 for gpscript.exe spawning XBCUninstaller.exe; unusual parent-child chains involving EDR uninstallers or administrative tools.
  • Driver tampering: Sysmon 6 (DriverLoad) for non-standard or unsigned drivers; alert on processes enumerating or modifying kernel callbacks.
  • Shadow copy deletion: Command lines invoking vssadmin delete shadows, wmic shadowcopy delete, or equivalent PowerShell.
  • Google Drive exfiltration: proxy/DNS for high-volume drive.google.com uploads from servers or non-user endpoints; Sysmon 3 network connections to Drive during off-hours.
  • Registry & autoruns: Sysmon 13 (RegistryValueSet) for service persistence keys and suspicious Run/Services entries tied to keylogger/loader modules.

IR playbook pointers

  • Hunt for newly enabled/default admin accounts and recent net localgroup administrators changes.
  • Inventory recent service creations; quarantine binaries and capture memory from hosts that created WinMainSvc or MSRuntime.
  • Block and rotate credentials used on any host exhibiting EDR tampering or agent removal.
  • Review OAuth grants and audit logs for Google Drive; revoke suspicious tokens; enforce domain-restricted Drive sharing.

Conclusion

Crypto24 exemplifies a broader trend: ransomware actors are normalizing kernel-level EDR interference and cloud-native exfiltration ahead of encryption. Defenders should assume temporary telemetry loss during the most critical phases of an intrusion and layer controls accordingly—hardware-backed tamper protection, strict application control for admin tooling, kernel-driver visibility, and egress governance for sanctioned cloud apps. If your detections still assume the EDR is always watching, it’s time to recalibrate.