Ransomware attack alert: Crypto24 evades EDR in Latin America

In recent days, worrying activity has been detected related to Crypto24, a new ransomware variant that is affecting organizations in Latin America. This ransomware attack has proven capable of evading endpoint detection and response (EDR) solutions, which significantly increases its danger.

At Wezen, in line with our commitment to keeping our customers informed, we are sharing this preventive alert along with specific recommendations for different security platforms. Our approach is clear: anticipate, strengthen controls, and improve detection and containment capabilities before a threat escalates.

The main source of this communication is the article published by Segu-Info, a trusted reference in cybersecurity in the region.

What is Crypto24 and why is it so concerning?

Crypto24 is a recently identified family of ransomware that has begun to spread among Latin American companies. Its dangerous nature lies in:

• Its ability to evade traditional EDR solutions.
• Its use of advanced obfuscation and persistence techniques.
• Rapid lateral spread within the internal network.
• Encryption of critical data with ransom demands.

This behavior reinforces the need to adopt a defense-in-depth approach and review key configurations in our security tools.

Priority actions for each anti-malware technology

Below are recommended measures for different security environments, classified by vendor.

ESET (ESET PROTECT / Endpoint Security / Server Security)

Priority actions (HIGH)

• Enable Ransomware Shield from policy in ESET PROTECT.
• If it is a new computer/server or a newly applied policy: activate Audit mode for a short period, adjust legitimate exclusions if any FPs appear, and then deactivate Audit mode to return to automatic blocking.
• Apply additional ESET recommendations against filecoder/ransomware (general best practices and posture).

CrowdStrike (Falcon Prevent / NGAV + EDR)

Priority actions (HIGH)

• Review Prevention Policy and validate that Sensor Tampering Protection is active.
• Ensure that prevention includes:
  • Automatic quarantine of malicious files (for investigation/control).
  • Script- and behavior-based execution monitoring/blocking (to stop typical ransomware chains).
• Align recommended operational controls for ransomware (access hardening, privilege review, surface area reduction) as part of the prevention package.

Fortinet (FORTI ZTNA: FortiGate + FortiClient EMS + ZTNA Access Proxy)

Priority actions (HIGH)

• Validate implementation of ZTNA Access Proxy and associated rules (published applications, ports, identity).
• Configure/validate Security Posture tags (AV/EDR compliance, minimum posture, etc.) in FortiClient EMS and their consumption in FortiGate for ZTNA decisions.
• Ensure that posture verification exists in active sessions (policy that reevaluates and terminates sessions if the device loses compliance).

Recommended actions (MEDIUM)

• Apply the least privilege approach per application to reduce the surface area and limit lateral movement (key in ransomware scenarios).
• Review best practices for the FortiClient/Fabric stack aimed at ransomware containment.

Microsoft Defender (Defender for Endpoint / Microsoft Defender XDR)

Priority actions (HIGH)

• Confirm Tamper protection enabled in the tenant from the Microsoft Defender portal (and verify scope/status).
• Configure Controlled Folder Access to safeguard critical information (and review allowed apps).
• Implement ASR Rules following best practices: start in Audit mode to measure impact and then move to blocking with minimal justified exclusions.

Strengthening your posture: beyond the tool

While having robust tools is essential, it is also key to maintain:

• Network segmentation policies.
• Multi-factor authentication (MFA) for sensitive access.
• Ongoing staff training to reduce human error.
• Response procedures and offline backup.

Frequently asked questions about ransomware attack

Does Crypto24 only affect large companies?

No. Any organization with security breaches can be targeted, regardless of its size.

Are EDR solutions no longer sufficient?

They are essential, but they must be configured correctly and complemented with other layers of protection.

Can I protect myself with free antivirus software alone?

This is not recommended. Modern threats require advanced enterprise solutions and managed services.

What if I already have active policies in place?

It is vital to review them periodically. Threats evolve, and configurations must keep pace.

Anticipation is key

The growth of Crypto24 in the region shows that attackers continue to become more sophisticated. At Wezen, we understand that the best defense is anticipation, which is why we help our clients to:

• Review their security environments.
• Strengthen critical configurations.
• Implement managed services for continuous protection.

At Wezen, we can help you audit, reinforce, and support your cybersecurity strategy to face threats such as Crypto24 with peace of mind and control.

If you would like a technical assessment or have questions about your organization’s current posture, Write to us.

Image: generated by IA (DALL·E 3 – GPT-4o), OpenAI, 2026.

Sources consulted:

• Segu-Info. (2025, diciembre). Ransomware Crypto24 se propaga en América Latina salteando EDR. URL
• ESET. (s.f.). Best practices to protect against filecoder/ransomware malware. ESET Support. URL
• CrowdStrike. (2024, septiembre). CrowdStrike Falcon Prevent Data Sheet. URL
• Fortinet. (s.f.). ZTNA Access Proxy – FortiGate. Fortinet Documentation Library. URL
• Microsoft. (s.f.). Manage tamper protection in Microsoft Defender for Endpoint. Microsoft Learn. URL