- The CrazyHunter ransomware strain has escalated into a major threat against healthcare providers, particularly in Taiwan. Multiple organizations—including hospitals and medical systems—have been compromised in recent waves of attacks.
- Unlike generic widespread ransomware, this campaign shows a highly targeted focus on critical sectors where operational disruption has life-critical consequences and sensitive patient data is a high-value asset.
Advanced Techniques Used by CrazyHunter
1. Developed in Go with Enhanced Evasion
- The malware is written in Go, allowing compact, fast execution and cross-platform capabilities. This choice supports modern evasion and network features.
2. Bring-Your-Own-Vulnerable-Driver (BYOVD) Exploitation
- Attackers use a legitimate but vulnerable Zemana antimalware driver (zam64.sys) to escalate privileges and bypass security defenses like EDR/antivirus. This allows malware to run with high permissions without triggering typical security alerts.
3. Active Directory Abuse (Initial Access & Propagation)
- CrazyHunter’s operators gain network access by leveraging weak AD credentials, then use tools like SharpGPOAbuse to deploy ransomware across systems via Group Policy Objects (GPOs). This enables rapid internal spread.
4. Memory-Based Execution & AV Disabling
- It includes components designed to disable antivirus and EDR tools, and uses memory-only execution techniques to stay under the radar of signature-based tools.
5. Use of Open-Source Tooling
- The group incorporates open-source projects such as the Prince ransomware builder and tools like ZammoCide to construct flexible payloads and stage attacks.
6. Double Extortion / Leak Site Pressure
- In addition to encrypting files, attackers maintain a data leak site, threatening to publish stolen data if ransom isn’t paid—amplifying pressure on victims.
7. Legitimate-Appearing Process Masquerading
- Some variants disguise themselves as legitimate system processes to better blend in with normal traffic and activities, aiding evasion of endpoint defenses.
Why Healthcare is a Preferred Target
- Critical uptime requirements: Downtime in hospitals can threaten lives, increasing the likelihood of payment.
- Heavy reliance on legacy systems: Many healthcare environments run older software or under-secured infrastructure, making them easier to breach.
- Wide attack surface: Large networks with diverse devices and remote access points create more opportunities for initial compromise.
Case Example: Taiwan Hospital Incidents
- MacKay Memorial Hospital and other facilities experienced infections that disrupted emergency and outpatient systems. The attacks encrypted hundreds of endpoints and crippled core medical operations.
- The attack chains typically began with privileged access via compromised credentials or infected USB drives, followed by privilege escalation and mass deployment using network tools.
Key Defense & Mitigation Strategies
To defend against CrazyHunter-style campaigns, organizations should consider:
- Enforce strong passwords, MFA on all AD accounts, and continuous monitoring of login anomalies.
- Identify and mitigate vulnerable signed drivers; block unapproved ones to neutralize BYOVD tactics.
- Audit GPO changes and tighten permissions to prevent mass deployment vectors.
- Use advanced EDR/UXDR tools capable of intercepting memory-based execution and unusual escalations.
- Maintain immutable, off-network backups and rehearse recovery drills to reduce leverage from ransom demands.
CrazyHunter represents a sophisticated evolution in ransomware threats, combining advanced evasion, credential abuse, and orchestration tools to disrupt critical sectors like healthcare. These attacks highlight the urgent need for proactive cybersecurity hygiene, robust identity controls, and advanced threat detection.
