Crytox

Crytox is a ransomware group referenced in reporting on the use of kernel-level AV/EDR-killer tooling in ransomware intrusions. The content links Crytox to attack chains in which an EDR killer is deployed before ransomware execution, including sequences described as HeartCrypt-packed dropper -> EDR killer/malicious driver -> ransomware. Crytox is specifically named among ransomware families observed by Sophos and ESET in intrusions using such tooling. The content associates Crytox with multiple EDR-disabling tools and services. Sophos and ESET reporting cited in the content link Crytox to CardSpaceKiller intrusions. Crytox is also listed among ransomware groups observed using Shanya, a packer-as-a-service offering used to obfuscate and deploy EDR-killing payloads; Shanya-packed EDR killers were described as dropping a signed ThrottleStop.sys driver for privilege escalation and an unsigned driver used to disable security products. Separate Sophos reporting also places Crytox among groups using updated EDRKillShifter-related tooling and among ransomware families observed in the recurring "EDR Killer -> ransomware" sequence. In those reports, the tooling uses kernel drivers, often via BYOVD, to terminate AV/EDR processes and stop security services across multiple vendors. Directly mentioned associations and aliases in the content are limited to the name Crytox itself; no additional aliases or sub-groups are provided.