Dark Web Profile: CrazyHunter Ransomware
On February 9, 2025, Taiwan MacKay Memorial Hospital suffered a major ransomware attack. It hit the emergency and outpatient systems at both the Taipei and Tamsui campuses. More than 500 computers were encrypted, causing serious disruptions to medical services.
The attack began when an employee unknowingly plugged a USB drive into a hospital computer. This introduced the CrazyHunter ransomware into the system. The malware uses BYOVD (Bring Your Own Vulnerable Driver) methods. It exploited a legitimate driver, zam64.sys from Zemana AntiMalware, to raise its privileges, turn off endpoint protection (EDR), and try to access Microsoft AD accounts using weak passwords. The ransomware then spread widely across the internal network, damaging many of the hospital’s computers and systems.
Who is CrazyHunter Ransomware?
The ransomware attack on MacKay Memorial Hospital in Taiwan is part of a growing trend where threat actors use publicly available tools and code. In this case, the ransomware called “CrazyHunter” was created using a builder named “Prince Ransomware,” which had been shared on GitHub.
Threat actor card for CrazyHunter Ransomware
CrazyHunter has quickly become a notable threat. The group recently launched a data leak site (DLS) listing ten victims, all based in Taiwan. Since early January, internal monitoring has revealed a clear pattern of targeting Taiwanese organizations. Their victims include hospitals, medical centers, universities, schools, manufacturing firms, and industrial companies–indicating a focus on sectors with sensitive data and critical operations.
What are CrazyHunter Ransomware’s Targets?
The CrazyHunter ransomware group has focused most of its attacks on Taiwan, with 90% of confirmed victims based there. Only one reported victim is located in the United States, though that case may be a false attribution. This strong geographic bias suggests that CrazyHunter is deliberately and physically targeting Taiwanese organizations.
Announced victims of CrazyHunter Ransomware. Note: The one US victim might be a false attribution.
The group has attacked a variety of sectors, but healthcare and technology stand out as the most affected. Hospitals and medical institutions make up 30% of known victims, including MacKay Memorial Hospital, Changhua Christian Hospital, and Asia University Hospital. Another 30% of the victims belong to the technology sector, such as Zuni Data, Analog Integrations Corporation, and Netronix Inc. Manufacturing companies represent 20% of the cases, with Huacheng Electric and KD Panels falling victim. The remaining 20% includes educational institutions like Asia University and a consumer service company.
CrazyHunter targeted organizations with sensitive data or essential functions, such as hospitals, universities, and tech or industrial firms. By using a public data leak site, the group pressures victims through exposure and threats. Most attacks happened earlier this year, suggesting a coordinated campaign focused on causing disruption and demanding ransom, mainly in Taiwan.
What are CrazyHunter Ransomware’s Techniques?
CrazyHunter ransomware uses a mix of publicly available tools, vulnerable drivers, and tailored malware to carry out sophisticated attacks. Showcased by researchers, the group’s operations show a clear focus on defense evasion, privilege escalation, lateral movement, and impact through ransomware deployment. Below is a breakdown of their main tactics, techniques, and tools:
Initial Access
- USB infection vector: In at least one major incident, the attack began when an employee inserted an infected USB into an internal system.
Execution
- Batch script orchestration: A batch script coordinates the launch of multiple components, such as:
- Disabling security software
- Deploying ransomware
- Ensuring fallback routines if earlier stages fail
The contents of the batch script used by CrazyHunter (TrendMicro)
Execution Flow:
- Run go2.exe and go.exe – disable EDR via zam64.sys
- Run go3.exe – ransomware deployment
- If failure occurs:
- Run av-1m.exe – another AV killer (C++)
- Run bb.exe to load crazyhunter.sys
- As last resort, execute EXE ransomware payload directly
Defense Evasion
- BYOVD – Bring Your Own Vulnerable Driver
- Uses zam64.sys, a signed driver from Zemana AntiMalware, to load a kernel-mode service
- Driver is abused through ZammoCide to disable:
- Microsoft Defender
- Avira
- Other EDR/AV products
- Continuous process killing: The driver spawns a kernel-mode operation that terminates high-privilege processes even if they respawn.
- Whitelisting strategy: The ransomware avoids encrypting critical system directories and certain file types:
- Extensions ignored: .exe, .dll, .sys, .msi, .ps1, etc.
- Directories ignored: C:Windows, System32, AppData, Program Files, EFI, etc.
Privilege Escalation & Lateral Movement
- SharpGPOAbuse
- Exploits Group Policy Objects (GPOs) where attackers have edit rights
- Allows deployment of malicious scripts across the domain
- Enables privilege escalation and remote code execution across connected machines
Impact – Ransomware Payload
- Ransomware core: Built using Prince Ransomware builder, compiled in Go
- Uses ChaCha20 for file encryption
- Uses ECIES for asymmetric encryption
- Encrypted files end with .Hunter extension
- Drops ransom note “Decryption Instructions.txt”
- Modifies desktop wallpaper with a ransom message
- Persistence mechanisms:
- Some executables run as Windows services (e.g., ZammOcide service)
- Driver loaded at boot via crazyhunter.sys
Exfiltration
- file.exe:
- A Go-based utility functioning in two modes:
- Monitor mode: Watches for changes in web file types (.asp, .php, .jsp)
- File server mode: Runs a web server on port 9999
- Can operate with whitelisting or blacklisting logic
- Capable of stealthy exfiltration or staging
- A Go-based utility functioning in two modes:
IoCs, Toolset and Software Used by CrazyHunter
| MD5 Hash | Filename(s) | Description |
| 6bb811e2fbb498f466980a176caefbfb | a.ashx | Webshell – Godzilla |
| 5cc2523816a184fed135f0119756c337 | tunnel.aspx | reGeorg SOCKS tunnel |
| b35813aac8a164e379f507de67c02a6f | ntlmrelayx.exe | impacket – NTLMRelayx |
| 28bbd938ecbab26c4ad1ce96bbd9d1f5 | secretsdump.exe | impacket – secretsdump |
| ba61c126dbbd7cde055d40e0e6b5d48f | PortBender.exe | Port redirector |
| b2014d33ee645112d5dc16fe9d9fcbff | WinDivert.dll | PortBender dependency |
| 89ed5be7ea83c01d0de33d3519944aa5 | WinDivert64.sys | PortBender dependency |
| 7f05a928c77cb87ffb510168c1b0b11b | aa.exe, cc.exe | AV Killer |
| e12c5be075c23d1c5f398e46e2ee5d40 | av-1m.exe | Obfuscated AV killer |
| 87b3db166041c61f3a033cf3c94e89c6 | av-500kb.exe | Obfuscated AV killer |
| ca257aaa1ded22ca22086b9e95cb456d | go.exe | AV/EDR killer (Golang version) |
| da1a93627cec6665ae28baaf23ff27c5 | go2.exe | AV/EDR killer (Golang version) |
| 6a70c22a5778eaa433b6ce44513068da | crazyhunter.exe, go3.exe, hunter.exe | Main ransomware encryptor |
| 5e560ea46fa48188cc8768c7e03294d0 | hunter.exe | Variant ransomware sample |
| 9fe3322dd4fc35d1ed510bf715dae814 | bb.exe | Donut loader for shellcode |
| 906e89f6eb39919c6d12a660b68ae81f | crazyhunter.sys | Donut-packed shellcode (kernel loader) |
| 7f3d07220529742bdc1827186b73666a | hunter.ini | Donut config/init data |
| 9e45ab7d2d942a575b2f902cccfb3839 | gpo.exe | SharpGPO abuse tool |
| 6d04be58f8987853ab57c745ec5663f9 | appitob.exe | Cobalt Strike beacon with domain-fronting |
| f58712846e029a548ccd52b24ae0b720 | svc.exe | Cobalt Strike beacon variant (graph.microsoft.com) |
| eb151437c1f74877e27e1e895ee6dbd6 | beacon_x64.exe | Beacon with DevTunnels domain-fronting |
Technical analysis based on public intelligence by Team5t
What are the Mitigation Tactics Against CrazyHunter Ransomware?
Below are key mitigation tactics that can help protect against CrazyHunter ransomware:
- Enforce Strong Authentication
Using valid domain accounts is a known tactic of CrazyHunter. To reduce this risk:
- Enable multi-factor authentication (MFA) for all users, especially administrators.
- Enforce strong, unique passwords and regular password rotation.
- Disable unused accounts and monitor for unauthorized login attempts.
- Control Initial Access Vectors
Initial access in some incidents occurred via infected USB devices or webshells on IIS servers. Organizations should:
- Block unauthorized USB device use via Group Policy or endpoint controls.
- Scan all external media before use.
- Monitor public-facing servers for unexpected uploads or file executions.
- Harden Endpoint and Driver Protections
CrazyHunter relies on loading vulnerable drivers like zam64.sys to disable endpoint defenses.
- Use Endpoint Detection and Response (EDR) solutions with kernel protection features.
- Enable Driver Signature Enforcement and block known vulnerable drivers.
- Implement Hardware-enforced Stack Protection and Microsoft Defender Exploit Guard.
- Limit Lateral Movement and GPO Abuse
SharpGPOAbuse was used by the threat actor to deploy malicious scripts across the domain.
- Restrict Group Policy modification rights to a minimum set of administrators.
- Audit GPO changes regularly and monitor for suspicious task creation or script policies.
- Implement network segmentation to isolate key infrastructure like AD servers.
- Monitor for Abuse of AD Certificate Services (ADCS)
The group leveraged vulnerabilities in ADCS using tools like PetitPotam, ntlmrelayx, and certipy.
- Disable unnecessary ADCS features such as Web Enrollment.
- Monitor certificate requests and NTLM relay activity.
- Apply Microsoft hardening guidelines for Active Directory Certificate Services.
- Prevent Data Exfiltration
CrazyHunter uses custom tools like file.exe to stage and exfiltrate data.
- Restrict outbound connections to essential services only.
- Block high-risk ports such as 9999 unless required for business.
- Inspect and alert on abnormal data flows or embedded web servers within endpoints.
- Backup and Recovery Preparedness
File encryption via ChaCha20 and ECIES can make recovery without backups nearly impossible.
- Maintain regular backups using the 3-2-1 strategy (three copies, two media types, one offsite).
- Test backup restoration frequently to confirm recovery integrity.
- Store backup systems in isolated networks with restricted access.
- Increase User Awareness
User behavior is a critical line of defense.
- Train staff to recognize phishing attempts, suspicious USB activity, and signs of ransomware.
- Encourage reporting of unusual login prompts, desktop changes, or missing files.
- Conduct regular simulated phishing exercises and security awareness sessions.
- Apply Timely Patch Management
Outdated systems and software provide an easy entry point.
- Patch vulnerabilities in operating systems, drivers, middleware, and security software.
- Apply vendor updates for certificate services and SMB components.
- Monitor for new CVEs associated with BYOVD or GPO exploitation.
- Block Known Indicators of Compromise (IoCs)
Use threat intelligence feeds to block known hashes and artifacts used by CrazyHunter:
- Files such as go.exe, bb.exe, hunter.exe, and crazyhunter.sys.
- MD5 hashes and associated TTPs (T1068, T1486, T1078.002, etc.).
- Watch for .Hunter extensions, Decryption Instructions.txt, and known C2 domains like DevTunnels or Graph API-based infrastructure.
Mitigating CrazyHunter requires more than just endpoint security. It demands a combination of identity protection, system hardening, user training, monitoring, and strong network architecture. Given its targeted focus and advanced techniques, organizations must be proactive in implementing layered defenses to detect, contain, and recover from this threat.
How Can SOCRadar Help?
CrazyHunter has quickly evolved from a minor threat into a well-organized ransomware group, using advanced techniques such as BYOVD (Bring Your Own Vulnerable Driver), abuse of Active Directory, and the exploitation of open-source tools like SharpGPOAbuse and Prince Ransomware builder. Their targeted campaigns against Taiwanese healthcare, education, and industrial sectors highlight their strategic intent and growing technical capabilities.
As threat actors like CrazyHunter expand their toolkit and sharpen their tactics, organizations must match that pace with comprehensive threat visibility and proactive defense.
Organizations can take the first proactive step by checking their domain’s Dark Web popularity. For free in SOCRadar Labs – Dark Web Report.
Dark Web Monitoring
Detect leaked credentials, PII, and internal data across forums and ransomware leak sites.
SOCRadar’s Advanced Dark Web Monitoring
Threat Intelligence Feeds
Get real-time alerts on CrazyHunter’s TTPs, file hashes, and infrastructure changes.
Attack Surface Management
Identify exposed assets, misconfigured services, and vulnerable software before they’re exploited.
SOCRadar’s Attack Surface Management
Digital Risk Protection
Monitor your digital footprint to prevent data misuse, impersonation, or domain abuse.
Ransomware Group Tracking
Follow CrazyHunter and similar groups to understand evolving tactics and prepare defenses.
SOCRadar helps you stay one step ahead; detect, prioritize, and respond before threats cause damage.
What are the MITRE ATT&CK TTPs of CrazyHunter Ransomware?
| Tactic | Technique |
| Execution | T1059.003 – Windows Command Shell |
| Persistence | T1547 – Boot or Logon AutoStart Execution |
| Privilege Escalation | T1068 – Exploitation for Privilege Escalation |
| Privilege Escalation | T1484.001 – Group Policy Modification |
| Defense Evasion | T1562.001 – Disable or Modify Tools |
| Defense Evasion | T1211 – Exploitation for Defense Evasion |
| Discovery | T1083 – File and Directory Discovery |
| Lateral Movement | T1570 – Lateral Tool Transfer |
| Collection | T1005 – Data from Local System |
| Exfiltration | T1048 – Exfiltration Over Alternative Protocol |
| Impact | T1486 – Data Encrypted for Impact |
| Credential Access | T1078.002 – Domain Accounts |


