Crypto24 ransomware has emerged as a significant cybersecurity threat in 2024 and 2025, targeting high-value organizations across multiple continents with sophisticated attack techniques. This relatively new but highly dangerous ransomware group has demonstrated advanced capabilities that have caught the attention of global cybersecurity experts and organizations worldwide.
As New Zealand organizations face an increasingly complex threat landscape, understanding Crypto24’s methods, capabilities, and potential impact on local businesses is crucial for maintaining robust cybersecurity defenses.
Understanding Crypto24 Ransomware
Crypto24 is a sophisticated ransomware operation that first emerged in early 2024, though its earliest activity was reported on BleepingComputer forums in September 2024. The group has rapidly evolved from rudimentary beginnings to become a formidable threat actor employing advanced techniques and custom-built tools. 
Crypto24 emerged as a new threat in the ransomware landscape in April 2025, claiming to have targeted eight victims worldwide, though subsequent research indicates the group has been active for longer and has impacted significantly more organizations.
Technical Characteristics
Crypto24 ransomware operates using a double-extortion model, combining data encryption with data theft threats. The malware encrypts files and adds a “.crypto24” extension to their filenames and creates a ransom note titled “Decryption.txt”. The ransomware warns victims against modifying encrypted files and threatens to publish stolen data if ransom demands are not met.
Crypto24’s Sophisticated Attack Methods
What sets Crypto24 apart from many other ransomware groups is its technical sophistication and operational maturity. According to Trend Micro researchers tracking Crypto24’s operations, the hackers have hit several large organizations in the United States, Europe, and Asia, focusing on high-value targets in the finance, manufacturing, entertainment, and tech sectors.
Advanced Evasion Techniques
Crypto24’s most concerning capability is its use of custom tools to bypass security solutions. The group uses a custom variant of the open-source tool RealBlindingEDR, which targets security agents from multiple vendors by disabling their kernel drivers. This tool can disable security products from major vendors including Sophos, Trend Micro, Kaspersky, Malwarebytes, Bitdefender, and others.
The threat actor operates with a high level of coordination, frequently launching attacks during off-peak hours to evade detection and maximize impact, demonstrating strategic planning and operational awareness.
Multi-Stage Attack Process
Crypto24 employs a sophisticated, multi-stage attack methodology:
- Initial Access: The group gains entry through harvested VPN credentials, phishing emails, or exposed remote access portals lacking multi-factor authentication
- Privilege Escalation: Attackers reactivate default administrative accounts and create multiple new user accounts with common or generic names to avoid drawing attention
- Lateral Movement: The group uses legitimate tools like PSExec alongside custom malware to move through network environments
- Security Bypass: Custom EDR evasion tools disable security monitoring and detection capabilities
- Data Exfiltration: Data theft and ongoing surveillance are achieved through keyloggers, Google Drive exfiltration, and persistent remote access
- Encryption: Final payload deployment encrypts critical systems and data
Global Impact and Target Profile
Crypto24 has demonstrated a preference for targeting large, well-resourced organizations with valuable data assets. The group has concentrated its efforts on organizations in Asia, Europe, and the USA, with targets spanning the financial services, manufacturing, entertainment, and technology sectors.
Notable Attacks
The group has claimed responsibility for several high-profile attacks, including Vietnam tech giant CMC Group, which lost 2 TB of data to Crypto24 ransomware yet recovered in 24 hours. This attack demonstrated both the group’s capability to penetrate well-defended networks and the importance of robust backup and recovery procedures.
The group has targeted organizations across multiple sectors, with victims including legal firms, pharmaceutical companies, and manufacturing entities, showing their broad targeting strategy.
New Zealand’s Cybersecurity Landscape
New Zealand faces an increasingly challenging cybersecurity environment that makes organizations potentially vulnerable to sophisticated threats like Crypto24. The NCSC Q3 2024 Report highlights a 58% rise in New Zealand cyber incidents, with 1,905 reported cyber incidents marking a notable increase compared to the previous quarter.
Current Threat Environment
The New Zealand’s National Cyber Security Centre (NCSC) revealed that the country faced increasingly sophisticated cybersecurity threats from criminal entities and foreign state actors, with a total of 7,122 cybersecurity incidents for the period ending June 30, 2024.
The financial impact is substantial, with NCSC’s Q4 2024 report highlighting a 24% rise in financial losses from cybercrime, with $6.8M lost. Over recent quarters, New Zealand has reported $44 million in financial losses due to cybercrime, with an average loss of $5.5 million per quarter.
Industry Vulnerabilities
New Zealand organizations across various sectors face persistent threats. Phishing and credential harvesting attacks continue to be the most prevalent cybercrimes, accounting for 43% of all reported incidents, with other common categories including scams and fraud (31%), and unauthorized access (16%).
Is Crypto24 Active in New Zealand?
While there are no confirmed public reports of Crypto24 specifically targeting New Zealand organizations, several factors suggest local organizations should be concerned about this threat:
Regional Activity Patterns
Oceania reported 14 incidents in Q1 2025, with Australia experiencing 13 incidents and one incident in New Zealand, though this data relates to general ransomware activity rather than Crypto24 specifically.
The group’s demonstrated capability to target organizations across multiple continents, combined with New Zealand’s integration into global business networks, creates potential exposure risk for local organizations.
Target Profile Alignment
Many New Zealand organizations fit Crypto24’s preferred target profile:
- Well-established companies with valuable data assets
- Organizations in manufacturing, financial services, and technology sectors
- Entities with international business connections
- Companies that may have moderate cybersecurity maturity but still contain vulnerabilities
Protection Strategies Against Crypto24
Given Crypto24’s sophisticated capabilities, New Zealand organizations need comprehensive protection strategies:
Technical Controls
- Multi-Factor Authentication: Implement MFA on all external services and VPN connections to prevent credential-based attacks
- Network Segmentation: CMC’s segmentation prevented encryption from spilling into its core SaaS platforms—a textbook win for zero-trust design
- Backup Strategy: The 24-hour comeback hinged on air-gapped repositories – maintain offline, immutable backups
- Endpoint Protection: Deploy advanced EDR solutions with behavioral analysis capabilities
- Monitoring: Monitor for abnormal outbound traffic as 2 TB of data exfiltration left a clear egress pattern
Operational Measures
- Regular security awareness training focusing on phishing and social engineering
- Incident response planning with regular testing and updates
- Vulnerability management programs with rapid patching procedures
- Regular security assessments and penetration testing
Detection and Response Considerations
Organizations should be alert for indicators of Crypto24 activity:
Early Warning Signs
- Unusual administrative account activity, particularly reactivation of default accounts
- Creation of new user accounts with generic names
- Unexpected remote access tool installations (AnyDesk, etc.)
- Security tool malfunctions or unexpected uninstallations
- Unusual outbound network traffic patterns
- File system activity during off-hours
Response Priorities
If Crypto24 indicators are detected:
- Immediately isolate affected systems to prevent lateral movement
- Preserve forensic evidence for analysis
- Activate incident response procedures
- Notify relevant authorities including NCSC
- Assess backup integrity and recovery options
- Coordinate with cybersecurity experts for remediation
Industry-Specific Considerations
Different New Zealand industry sectors face varying levels of Crypto24 risk:
Manufacturing
Manufacturing organizations are particularly at risk given manufacturing remains the most impacted sector globally, accounting for 68 percent of all ransomware activity and Crypto24’s demonstrated focus on this sector.
Financial Services
Financial institutions face elevated risk due to Crypto24’s targeting preferences and the valuable data they possess. Enhanced monitoring and zero-trust architectures are essential.
Technology Companies
Technology organizations may be targeted for their intellectual property and customer data. These companies should prioritize advanced threat detection and response capabilities.
Regulatory and Compliance Implications
New Zealand organizations must consider regulatory requirements when addressing Crypto24 threats:
Privacy Act Requirements
Under New Zealand’s Privacy Act, organizations must notify the Privacy Commissioner of data breaches that could cause serious harm. Crypto24’s data exfiltration capabilities create significant compliance risks.
Critical Infrastructure Protection
Organizations operating critical infrastructure face additional responsibilities for maintaining cybersecurity resilience and may be subject to specific reporting requirements.
Future Threat Evolution
Crypto24 represents an evolution in ransomware sophistication that other groups are likely to emulate. The threat actor’s customized version employs advanced evasion, likely via unknown vulnerable drivers, showcasing deep technical expertise and ongoing tool refinement.
New Zealand organizations should prepare for continued evolution in ransomware tactics, including:
- Increased use of AI-enhanced attack techniques
- More sophisticated EDR bypass capabilities
- Greater focus on supply chain compromise
- Advanced persistence mechanisms
Frequently Asked Questions
Has Crypto24 ransomware been confirmed in New Zealand organizations?
While there are no publicly confirmed cases of Crypto24 specifically targeting New Zealand organizations, the group’s global reach and targeting preferences suggest local entities could be at risk, particularly in manufacturing, financial services, and technology sectors.
How does Crypto24 differ from other ransomware groups?
Crypto24 distinguishes itself through sophisticated EDR bypass capabilities, coordinated off-peak attacks, and the use of legitimate tools alongside custom malware. The group demonstrates higher operational maturity than many ransomware operations.
What should New Zealand businesses do to protect against Crypto24?
Organizations should implement comprehensive security measures including multi-factor authentication, network segmentation, offline backups, advanced endpoint protection, and continuous monitoring for suspicious activities.
Can Crypto24 ransomware be decrypted without paying the ransom?
Currently, there are no known free decryption tools for Crypto24 ransomware. Each infection appears to use unique encryption keys, making recovery without the attackers’ cooperation extremely difficult.
How quickly does Crypto24 typically execute attacks?
Research indicates Crypto24 operations often have minimal dwell time, sometimes less than six hours from initial access to payload deployment, emphasizing the need for rapid detection and response capabilities.
Should organizations pay Crypto24 ransom demands?
Security experts and law enforcement agencies consistently advise against paying ransoms, as it provides no guarantee of data recovery and funds criminal activities. Focus should be on prevention, detection, and backup-based recovery.
How can New Zealand organizations report suspected Crypto24 activity?
Suspected ransomware incidents should be reported immediately to New Zealand’s National Cyber Security Centre (NCSC) through their incident reporting portal, while also engaging law enforcement and cybersecurity professionals.
What makes New Zealand organizations attractive targets for groups like Crypto24?
New Zealand’s advanced economy, strong international business connections, valuable data assets, and potentially moderate cybersecurity maturity in some sectors could make local organizations attractive to sophisticated ransomware groups.
While Crypto24 has not been publicly linked to attacks on New Zealand organizations, the group’s capabilities and targeting preferences suggest local businesses should take this threat seriously. The combination of sophisticated attack techniques, advanced evasion capabilities, and New Zealand’s evolving threat landscape creates a compelling case for enhanced cybersecurity measures across all sectors. Organizations that proactively implement comprehensive security controls and maintain robust incident response capabilities will be best positioned to defend against Crypto24 and similar advanced threats.
