Recent research by Trend Micro has uncovered a particularly troubling trend: Crypto24, a new ransomware group, is blending legitimate tools with custom malware to infiltrate manufacturing, entertainment, finance, and tech sectors—and evade traditional defenses. Industrial Cyber
Here’s what businesses need to know—and why it’s critical to move from a strategy of “Detect and Respond” toward one of Isolation and Containment.
Based on the Trend Micro / Industrial Cyber report, Crypto24’s attack vector is notably sophisticated:
It uses legitimate tools (PsExec, AnyDesk, Windows native utilities, etc.) for critical parts of the attack—lateral movement, remote access, privilege escalation. That lets it hide among normal system operations.
Custom malware is also in the mix, including backdoors, keyloggers, and a tool called RealBlindingEDR. That tool is a customized version built to disable or bypass endpoint detection and response (EDR) systems.
The adversary often waits—establishing persistence, creating or reactivating administrative accounts, establishing remote access—and works during off-peak hours. All of this makes detection harder.
Data exfiltration is part of the playbook—not just encryption. Google Drive is used for stealthy data theft.
Traditional security tools and strategies broadly follow a detect-and-respond model:
Detect something suspicious (network traffic, unusual account behavior, malware signatures)
Raise an alert
Investigate
Respond (quarantine, shut down systems, restore backups, etc.)
But with threats like Crypto24:
Detection is evaded. Crypto24 deliberately abuses built-in, legitimate tools to fly under the radar.
By the time detection triggers, damage may already have spread: persistent access established, data exfiltrated, credentials stolen.
There’s often too much delay in response. Even with fast response, cleanup can be complex, costly, and damaging (both to operations and reputation).
So, what’s needed is a stronger method—one that prevents or dramatically limits the ability of malware or malicious actors to move, escalate privileges, or execute damage, even before detection.
Instead of waiting for something to be detected, isolation and containment strategies are designed to block the attack from escalating and limit its damage. Key features include:
Blocking untrusted or unknown executables from launching or accessing sensitive resources.
Preventing unauthorized privilege escalation or lateral movement, even if something already got a foothold.
Preventing tampering with security software itself.
Restricting or isolating what tools (even legitimate ones) can do, based on policy.
This doesn’t just reduce risk—it reduces the blast radius. Even if part of the system has been compromised, the attacker can’t move freely to other parts of the network or manipulate security controls.
This is where AppGuard comes into play. For over 10 years this endpoint protection solution has delivered against exactly these kinds of attacks. It shifts the security model from “detect and respond” toward proactive isolation and containment.
Here are some highlights:
AppGuard enforces policies that prevent untrusted or malicious code—even if delivered via legitimate-looking tools—from executing or altering critical system components.
It prevents privilege escalation and attempts to manipulate or disable security agents.
It limits lateral movement by enforcing containment boundaries, such that even if an attacker gets in, they can’t freely explore, escalate, or pivot across the environment.
It adds resilience by ensuring that security controls can’t be easily bypassed or uninstalled.
Businesses using AppGuard are less vulnerable to strategies like Crypto24’s blend of legitimate tool abuse + custom malware, because the “terrain” attackers rely on—the ability to mix in with normal tools, disable defenses, move freely—is much harder to exploit.
If your organization is still relying primarily on detection + response, then Crypto24 and similar threats pose a serious danger. Here are steps you should consider:
Assess your current endpoint protections. Is your EDR easily bypassed? Can it be uninstalled or disabled by local users or scripts?
Map out your attack surfaces. Which tools, scripts, services are in use that could be turned against you? Remote access tools? Built-in administrative utilities?
Define containment policies. Limit what those tools can do, who can use them, under what conditions.
Implement isolation tools. Use a solution like AppGuard that actively enforces containment.
Regularly test and validate. Simulate attacks that try to bypass detection, use legitimate tools maliciously, escalate privileges, etc. See what your defenses do—and where gaps are.
The Crypto24 case is a stark reminder that modern ransomware attackers are not just brute-force or obviously malicious malware actors. They are strategic, patient, and skilled at using what’s “normal” in a system against the system itself. Detection and response are no longer enough on their own.
For business leaders wanting to seriously protect operations, IP, reputation—what’s needed is isolation and containment as a core part of endpoint protection. Solutions like AppGuard, with a proven 10-year history, deliver that protection. They shrink the window of opportunity for threats like Crypto24 to do damage.
If you’re a business owner concerned about threats like Crypto24—or any advanced attack designed to circumvent detection—let’s talk. At CHIPS, we can show you how AppGuard stops attacks not by waiting for alerts—but by isolating suspicious behavior, containing it before damage spreads, and preventing bypass of security agents.
Don’t wait for the next breach. Move beyond “detect & respond.” Reach out today to find out how AppGuard can protect your endpoints, your data, and your business.
Like this article? Please share it with others!