Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | Dark Web Profile: CrazyHunter Ransomware
Jul 18, 2025
10 Mins Read
Moon

Dark Web Profile: CrazyHunter Ransomware

On February 9, 2025, Taiwan MacKay Memorial Hospital suffered a major ransomware attack. It hit the emergency and outpatient systems at both the Taipei and Tamsui campuses. More than 500 computers were encrypted, causing serious disruptions to medical services.

The attack began when an employee unknowingly plugged a USB drive into a hospital computer. This introduced the CrazyHunter ransomware into the system. The malware uses BYOVD (Bring Your Own Vulnerable Driver) methods. It exploited a legitimate driver, zam64.sys from Zemana AntiMalware, to raise its privileges, turn off endpoint protection (EDR), and try to access Microsoft AD accounts using weak passwords. The ransomware then spread widely across the internal network, damaging many of the hospital’s computers and systems.

Who is CrazyHunter Ransomware?

The ransomware attack on MacKay Memorial Hospital in Taiwan is part of a growing trend where threat actors use publicly available tools and code. In this case, the ransomware called “CrazyHunter” was created using a builder named “Prince Ransomware,” which had been shared on GitHub.

Threat actor card for CrazyHunter Ransomware

Threat actor card for CrazyHunter Ransomware

CrazyHunter has quickly become a notable threat. The group recently launched a data leak site (DLS) listing ten victims, all based in Taiwan. Since early January, internal monitoring has revealed a clear pattern of targeting Taiwanese organizations. Their victims include hospitals, medical centers, universities, schools, manufacturing firms, and industrial companies–indicating a focus on sectors with sensitive data and critical operations.

What are CrazyHunter Ransomware’s Targets?

The CrazyHunter ransomware group has focused most of its attacks on Taiwan, with 90% of confirmed victims based there. Only one reported victim is located in the United States, though that case may be a false attribution. This strong geographic bias suggests that CrazyHunter is deliberately and physically targeting Taiwanese organizations.

Announced victims of CrazyHunter Ransomware. Note: The one US victim might be a false attribution.

Announced victims of CrazyHunter Ransomware. Note: The one US victim might be a false attribution.

The group has attacked a variety of sectors, but healthcare and technology stand out as the most affected. Hospitals and medical institutions make up 30% of known victims, including MacKay Memorial Hospital, Changhua Christian Hospital, and Asia University Hospital. Another 30% of the victims belong to the technology sector, such as Zuni Data, Analog Integrations Corporation, and Netronix Inc. Manufacturing companies represent 20% of the cases, with Huacheng Electric and KD Panels falling victim. The remaining 20% includes educational institutions like Asia University and a consumer service company.

CrazyHunter targeted organizations with sensitive data or essential functions, such as hospitals, universities, and tech or industrial firms. By using a public data leak site, the group pressures victims through exposure and threats. Most attacks happened earlier this year, suggesting a coordinated campaign focused on causing disruption and demanding ransom, mainly in Taiwan.

What are CrazyHunter Ransomware’s Techniques?

CrazyHunter ransomware uses a mix of publicly available tools, vulnerable drivers, and tailored malware to carry out sophisticated attacks. Showcased by researchers, the group’s operations show a clear focus on defense evasion, privilege escalation, lateral movement, and impact through ransomware deployment. Below is a breakdown of their main tactics, techniques, and tools:

Initial Access

  • USB infection vector: In at least one major incident, the attack began when an employee inserted an infected USB into an internal system.

Execution

  • Batch script orchestration: A batch script coordinates the launch of multiple components, such as:
    • Disabling security software
    • Deploying ransomware
    • Ensuring fallback routines if earlier stages fail
The contents of the batch script used by CrazyHunter (TrendMicro)

The contents of the batch script used by CrazyHunter (TrendMicro)

Execution Flow:

  1. Run go2.exe and go.exe – disable EDR via zam64.sys
  2. Run go3.exe – ransomware deployment
  3. If failure occurs:
    • Run av-1m.exe – another AV killer (C++)
    • Run bb.exe to load crazyhunter.sys
    • As last resort, execute EXE ransomware payload directly

Defense Evasion

  • BYOVD – Bring Your Own Vulnerable Driver

    • Uses zam64.sys, a signed driver from Zemana AntiMalware, to load a kernel-mode service
    • Driver is abused through ZammoCide to disable:
      • Microsoft Defender
      • Avira
      • Other EDR/AV products
  • Continuous process killing: The driver spawns a kernel-mode operation that terminates high-privilege processes even if they respawn.
  • Whitelisting strategy: The ransomware avoids encrypting critical system directories and certain file types:
    • Extensions ignored: .exe, .dll, .sys, .msi, .ps1, etc.
    • Directories ignored: C:Windows, System32, AppData, Program Files, EFI, etc.

Privilege Escalation & Lateral Movement

  • SharpGPOAbuse

    • Exploits Group Policy Objects (GPOs) where attackers have edit rights
    • Allows deployment of malicious scripts across the domain
    • Enables privilege escalation and remote code execution across connected machines

Impact – Ransomware Payload

  • Ransomware core: Built using Prince Ransomware builder, compiled in Go

    • Uses ChaCha20 for file encryption
    • Uses ECIES for asymmetric encryption
    • Encrypted files end with .Hunter extension
    • Drops ransom note “Decryption Instructions.txt”

    • Modifies desktop wallpaper with a ransom message
  • Persistence mechanisms:
    • Some executables run as Windows services (e.g., ZammOcide service)
    • Driver loaded at boot via crazyhunter.sys

Exfiltration

  • file.exe:
    • A Go-based utility functioning in two modes:
      • Monitor mode: Watches for changes in web file types (.asp, .php, .jsp)
      • File server mode: Runs a web server on port 9999
    • Can operate with whitelisting or blacklisting logic
    • Capable of stealthy exfiltration or staging

IoCs, Toolset and Software Used by CrazyHunter

MD5 Hash Filename(s) Description
6bb811e2fbb498f466980a176caefbfb a.ashx Webshell – Godzilla
5cc2523816a184fed135f0119756c337 tunnel.aspx reGeorg SOCKS tunnel
b35813aac8a164e379f507de67c02a6f ntlmrelayx.exe impacket – NTLMRelayx
28bbd938ecbab26c4ad1ce96bbd9d1f5 secretsdump.exe impacket – secretsdump
ba61c126dbbd7cde055d40e0e6b5d48f PortBender.exe Port redirector
b2014d33ee645112d5dc16fe9d9fcbff WinDivert.dll PortBender dependency
89ed5be7ea83c01d0de33d3519944aa5 WinDivert64.sys PortBender dependency
7f05a928c77cb87ffb510168c1b0b11b aa.exe, cc.exe AV Killer
e12c5be075c23d1c5f398e46e2ee5d40 av-1m.exe Obfuscated AV killer
87b3db166041c61f3a033cf3c94e89c6 av-500kb.exe Obfuscated AV killer
ca257aaa1ded22ca22086b9e95cb456d go.exe AV/EDR killer (Golang version)
da1a93627cec6665ae28baaf23ff27c5 go2.exe AV/EDR killer (Golang version)
6a70c22a5778eaa433b6ce44513068da crazyhunter.exe, go3.exe, hunter.exe Main ransomware encryptor
5e560ea46fa48188cc8768c7e03294d0 hunter.exe Variant ransomware sample
9fe3322dd4fc35d1ed510bf715dae814 bb.exe Donut loader for shellcode
906e89f6eb39919c6d12a660b68ae81f crazyhunter.sys Donut-packed shellcode (kernel loader)
7f3d07220529742bdc1827186b73666a hunter.ini Donut config/init data
9e45ab7d2d942a575b2f902cccfb3839 gpo.exe SharpGPO abuse tool
6d04be58f8987853ab57c745ec5663f9 appitob.exe Cobalt Strike beacon with domain-fronting
f58712846e029a548ccd52b24ae0b720 svc.exe Cobalt Strike beacon variant (graph.microsoft.com)
eb151437c1f74877e27e1e895ee6dbd6 beacon_x64.exe Beacon with DevTunnels domain-fronting

Technical analysis based on public intelligence by Team5t

What are the Mitigation Tactics Against CrazyHunter Ransomware?

Below are key mitigation tactics that can help protect against CrazyHunter ransomware:

  1. Enforce Strong Authentication

Using valid domain accounts is a known tactic of CrazyHunter. To reduce this risk:

  • Enable multi-factor authentication (MFA) for all users, especially administrators.
  • Enforce strong, unique passwords and regular password rotation.
  • Disable unused accounts and monitor for unauthorized login attempts.
  1. Control Initial Access Vectors

Initial access in some incidents occurred via infected USB devices or webshells on IIS servers. Organizations should:

  • Block unauthorized USB device use via Group Policy or endpoint controls.
  • Scan all external media before use.
  • Monitor public-facing servers for unexpected uploads or file executions.
  1. Harden Endpoint and Driver Protections

CrazyHunter relies on loading vulnerable drivers like zam64.sys to disable endpoint defenses.

  • Use Endpoint Detection and Response (EDR) solutions with kernel protection features.
  • Enable Driver Signature Enforcement and block known vulnerable drivers.
  • Implement Hardware-enforced Stack Protection and Microsoft Defender Exploit Guard.
  1. Limit Lateral Movement and GPO Abuse

SharpGPOAbuse was used by the threat actor to deploy malicious scripts across the domain.

  • Restrict Group Policy modification rights to a minimum set of administrators.
  • Audit GPO changes regularly and monitor for suspicious task creation or script policies.
  • Implement network segmentation to isolate key infrastructure like AD servers.
  1. Monitor for Abuse of AD Certificate Services (ADCS)

The group leveraged vulnerabilities in ADCS using tools like PetitPotam, ntlmrelayx, and certipy.

  • Disable unnecessary ADCS features such as Web Enrollment.
  • Monitor certificate requests and NTLM relay activity.
  • Apply Microsoft hardening guidelines for Active Directory Certificate Services.
  1. Prevent Data Exfiltration

CrazyHunter uses custom tools like file.exe to stage and exfiltrate data.

  • Restrict outbound connections to essential services only.
  • Block high-risk ports such as 9999 unless required for business.
  • Inspect and alert on abnormal data flows or embedded web servers within endpoints.
  1. Backup and Recovery Preparedness

File encryption via ChaCha20 and ECIES can make recovery without backups nearly impossible.

  • Maintain regular backups using the 3-2-1 strategy (three copies, two media types, one offsite).
  • Test backup restoration frequently to confirm recovery integrity.
  • Store backup systems in isolated networks with restricted access.
  1. Increase User Awareness

User behavior is a critical line of defense.

  • Train staff to recognize phishing attempts, suspicious USB activity, and signs of ransomware.
  • Encourage reporting of unusual login prompts, desktop changes, or missing files.
  • Conduct regular simulated phishing exercises and security awareness sessions.
  1. Apply Timely Patch Management

Outdated systems and software provide an easy entry point.

  • Patch vulnerabilities in operating systems, drivers, middleware, and security software.
  • Apply vendor updates for certificate services and SMB components.
  • Monitor for new CVEs associated with BYOVD or GPO exploitation.
  1. Block Known Indicators of Compromise (IoCs)

Use threat intelligence feeds to block known hashes and artifacts used by CrazyHunter:

  • Files such as go.exe, bb.exe, hunter.exe, and crazyhunter.sys.
  • MD5 hashes and associated TTPs (T1068, T1486, T1078.002, etc.).
  • Watch for .Hunter extensions, Decryption Instructions.txt, and known C2 domains like DevTunnels or Graph API-based infrastructure.

Mitigating CrazyHunter requires more than just endpoint security. It demands a combination of identity protection, system hardening, user training, monitoring, and strong network architecture. Given its targeted focus and advanced techniques, organizations must be proactive in implementing layered defenses to detect, contain, and recover from this threat.

How Can SOCRadar Help?

CrazyHunter has quickly evolved from a minor threat into a well-organized ransomware group, using advanced techniques such as BYOVD (Bring Your Own Vulnerable Driver), abuse of Active Directory, and the exploitation of open-source tools like SharpGPOAbuse and Prince Ransomware builder. Their targeted campaigns against Taiwanese healthcare, education, and industrial sectors highlight their strategic intent and growing technical capabilities.

As threat actors like CrazyHunter expand their toolkit and sharpen their tactics, organizations must match that pace with comprehensive threat visibility and proactive defense.

Organizations can take the first proactive step by checking their domain’s Dark Web popularity. For free in SOCRadar Labs – Dark Web Report.

Dark Web Monitoring
Detect leaked credentials, PII, and internal data across forums and ransomware leak sites.

SOCRadar’s Advanced Dark Web Monitoring

SOCRadar’s Advanced Dark Web Monitoring

Threat Intelligence Feeds
Get real-time alerts on CrazyHunter’s TTPs, file hashes, and infrastructure changes.

Attack Surface Management
Identify exposed assets, misconfigured services, and vulnerable software before they’re exploited.

SOCRadar’s Attack Surface Management

SOCRadar’s Attack Surface Management

Digital Risk Protection
Monitor your digital footprint to prevent data misuse, impersonation, or domain abuse.

Ransomware Group Tracking
Follow CrazyHunter and similar groups to understand evolving tactics and prepare defenses.

SOCRadar helps you stay one step ahead; detect, prioritize, and respond before threats cause damage.

What are the MITRE ATT&CK TTPs of CrazyHunter Ransomware?

Tactic Technique
Execution T1059.003 – Windows Command Shell
Persistence T1547 – Boot or Logon AutoStart Execution
Privilege Escalation T1068 – Exploitation for Privilege Escalation
Privilege Escalation T1484.001 – Group Policy Modification
Defense Evasion T1562.001 – Disable or Modify Tools
Defense Evasion T1211 – Exploitation for Defense Evasion
Discovery T1083 – File and Directory Discovery
Lateral Movement T1570 – Lateral Tool Transfer
Collection T1005 – Data from Local System
Exfiltration T1048 – Exfiltration Over Alternative Protocol
Impact T1486 – Data Encrypted for Impact
Credential Access T1078.002 – Domain Accounts