Taiwan MacKay Memorial Hospital was hit by the CrazyHunter ransomware, which used a USB-borne infection vector to deploy its payload through exploited vulnerable drivers and privileged escalation techniques. CrazyHunter targets primarily Taiwanese organizations in healthcare, technology, and manufacturing sectors by leveraging publicly available tools and methods such as Bring Your Own Vulnerable Driver (BYOVD) and SharpGPOAbuse. #CrazyHunter #MacKayMemorialHospital #BYOVD
Keypoints
- On February 9, 2025, Taiwan MacKay Memorial Hospital suffered a major ransomware attack affecting over 500 computers at two campuses.
- The attack was initiated via an infected USB device introducing CrazyHunter ransomware using BYOVD techniques exploiting the zam64.sys driver to disable endpoint protection.
- CrazyHunter ransomware is built using the publicly available Prince Ransomware builder and primarily targets Taiwanese organizations in healthcare, technology, manufacturing, and education.
- It employs privilege escalation through SharpGPOAbuse, lateral movement, defense evasion via vulnerable drivers, and encrypts files with ChaCha20 and ECIES, appending the .Hunter extension.
- The group runs a data leak site to pressure victims and has a strong geographic focus on Taiwan, with 90% of victims based there.
- Key mitigation strategies include enforcing multi-factor authentication, endpoint protection with driver enforcement, restricting Group Policy modification, and robust backup practices.
- SOCRadar offers advanced threat intelligence and monitoring solutions to detect, analyze, and defend against CrazyHunter ransomware campaigns.
MITRE Techniques
- [T1059.003] Windows Command Shell â Used via batch scripts to coordinate execution of ransomware components (âA batch script coordinates the launch of multiple componentsâ).
- [T1547] Boot or Logon AutoStart Execution â Persistence through drivers and services like crazyhunter.sys and ZammOcide service (âDriver loaded at boot via crazyhunter.sysâ).
- [T1068] Exploitation for Privilege Escalation â Exploits vulnerable driver zam64.sys to escalate privileges (âUses zam64.sysâŚto raise its privilegesâ).
- [T1484.001] Group Policy Modification â Abuse of GPOs via SharpGPOAbuse to deploy malicious scripts and escalate privileges (âExploits Group Policy Objects (GPOs) where attackers have edit rightsâ).
- [T1562.001] Disable or Modify Tools â Disable Microsoft Defender and AV products using vulnerable drivers (âUses zam64.sysâŚto disable Microsoft Defender, Avira, Other EDR/AV productsâ).
- [T1211] Exploitation for Defense Evasion â Abusing legitimate drivers to evade defenses (âBYOVDâŚexploited a legitimate driver zam64.sys from Zemana AntiMalwareâ).
- [T1083] File and Directory Discovery â Discovery to avoid encrypting critical system paths and file types (âWhitelisting strategy: The ransomware avoids encrypting critical system directories and certain file typesâ).
- [T1570] Lateral Tool Transfer â Uses tools to move laterally through the network (âAllows deployment of malicious scripts across the domainâ).
- [T1005] Data from Local System â Collects data locally before exfiltration (âfile.exe: A Go-based utility functioning in two modes including monitoring file changesâ).
- [T1048] Exfiltration Over Alternative Protocol â Uses custom tools and web server on port 9999 for exfiltration (âRuns a web server on port 9999â).
- [T1486] Data Encrypted for Impact â Uses ChaCha20 and ECIES encryption with .Hunter extension for files (âEncrypted files end with .Hunter extensionâ).
- [T1078.002] Domain Accounts â Uses weak Microsoft Active Directory accounts for access (âTry to access Microsoft AD accounts using weak passwordsâ).
Indicators of Compromise
- [File Hashes] Various malware components used by CrazyHunter â go.exe, bb.exe, hunter.exe, crazyhunter.sys, av-1m.exe, and more hashes such as 6bb811e2fbb498f466980a176caefbfb, 5cc2523816a184fed135f0119756c337, 7f3d07220529742bdc1827186b73666a.
- [File Names] Ransomware and auxiliary files â crazyhunter.exe, crazyhunter.sys, hunter.exe, go.exe, av-1m.exe, bb.exe, a.ashx (Webshell), tunnel.aspx (SOCKS tunnel).
- [Domains/Communication] Cobalt Strike beacon infrastructure including graph.microsoft.com and DevTunnels for domain-fronting and command-and-control.
- [File Extensions] Encrypted files appended with .Hunter extension and ransom note named âDecryption Instructions.txtâ.
Read more: https://socradar.io/dark-web-profile-crazyhunter-ransomware/