New research from Trellix detailed that CrazyHunter ransomware has emerged as a serious and escalating threat, underscoring the growing sophistication of modern cybercriminal operations. Trellix has tracked the malware since its first appearance, observing rapid technical evolution and increasing activity. To date, the primary targets have been healthcare organizations in Taiwan, with six confirmed victims. Technically, CrazyHunter is a fork of the Prince ransomware that surfaced in mid-2024, but it incorporates meaningful enhancements, particularly in network intrusion methods and anti-malware evasion capabilities.
“CrazyHunter, a Go-developed ransomware, employs advanced encryption and delivery methods targeted against Windows-based machines. It uses a data leak site to publicize victim information,” Aswath A, a Trellix researcher, wrote in a company blog post last week. “According to available information, the primary industry targeted by CrazyHunter ransomware is the healthcare sector, with repeated attacks on hospitals in Taiwan. This preference is likely due to the critical nature of healthcare services, where vast amounts of sensitive patient data are held by these organizations, and downtime can have severe consequences.”
Aswath added that the primary targets of the CrazyHunter ransomware have been companies in Taiwan, with six organizations known to be compromised. The attackers maintain a data leak site where they publicize information about their victims, particularly those who do not cooperate.
Noting that CrazyHunter’s attack methodology is ruthlessly efficient, Aswath identified that the adversaries demonstrated a deep understanding of enterprise network vulnerabilities.
A typical CrazyHunter ransomware attack unfolds in a series of distinct stages. The initial compromise often begins with the exploitation of weaknesses in an organization’s Active Directory infrastructure, most commonly through weak passwords associated with domain accounts. Once access is established, attackers move laterally and propagate rapidly across the environment. In observed CrazyHunter incidents, this phase frequently involves the use of SharpGPOAbuse to deploy the ransomware payload via Group Policy Objects, enabling fast distribution to multiple systems while relying on compromised Active Directory credentials to sustain the spread.
After gaining broad access, the attackers focus on privilege escalation to disable defenses and consolidate control. CrazyHunter is notable for its use of a ‘bring-your-own-vulnerable-driver’ technique, in which a modified Zemana anti-malware driver, zam64[dot]sys, is weaponized to elevate privileges and bypass security mechanisms that would normally block such activity. The attack concludes with widespread encryption of files across the network, rendering critical data inaccessible, followed by a ransom demand that seeks payment in exchange for decryption keys.
“A concerning trend in modern cyberattacks involves multistage operations where initial actions are strategically designed to weaken or eliminate security measures before the primary malicious payload is executed,” Aswath wrote. “Examining a specific attack flow, as depicted in a particular batch script, reveals a deliberate and sophisticated approach to compromising systems. This analysis will dissect the script’s actions, the underlying technical mechanisms employed to disable anti-malware software, and the context surrounding the final deployment of the CrazyHunter ransomware.”
At its core, CrazyHunter ransomware employs a hybrid encryption strategy that combines symmetric and asymmetric algorithms to secure files. This dual-layered approach is inherited from its foundation, the ‘Prince Ransomware’ builder, an open-source tool written in Go.
“For the primary task of encrypting file content, CrazyHunter utilizes the ChaCha20 stream cipher,” according to Aswath. “A distinctive feature of this ransomware is its partial encryption. Instead of encrypting the entire file, it encrypts one byte of data and then skips the next two, leaving them in their original, unencrypted state. This 1:2 encryption ratio is a deliberate design choice from the underlying Prince builder.”
He noted that the likely rationale for this technique is to increase the speed of the encryption process, allowing the ransomware to compromise a larger number of files in less time and potentially evade security solutions that monitor for heavy, sustained disk I/O operations.
While ChaCha20 encrypts the data, the security of the entire operation depends on protecting the unique key and nonce generated for each file. To achieve this, CrazyHunter employs the Elliptic Curve Integrated Encryption Scheme (ECIES). ECIES is an efficient and secure asymmetric encryption method that provides robust security with shorter key lengths than other algorithms, such as RSA. This method ensures that decryption is impossible without the corresponding ECIES private key, which remains exclusively in the attacker’s possession. Encrypted files are typically renamed with a [dot]Hunter extension.
Trellix manually decoded the shellcode using the open-source tool ‘donut-decryptor’ on GitHub and discovered that it was the same go[dot]exe payload.
Analysis revealed that the file[dot[]exe artifact possesses dual functionality, since it can transform a compromised machine into a file server or act as a file-monitoring and deletion tool. When operating as a file server, it exposes the designated directory (defaulting to the current) via localhost on a specified port (default: 9999). In monitoring mode, it systematically scans and deletes files matching predefined extensions within the directory and its sub-directories.
Jeff Wichman, director of incident response at Semperis, sees these attacks as part of a broader shift in which operations are increasingly used as a tool of state pressure across the region.
“These latest attacks on Taiwan healthcare organizations speak to a larger shift happening right now, where operations are used as a tool of state pressure across the region,” Wichman wrote in an emailed statement. “Rather than opportunistic disruption, these campaigns increasingly focus on identity systems that underpin critical infrastructure entities, including healthcare organizations. Attackers understand that once identity is compromised, lateral movement, privilege escalation and widespread disruption become far easier to execute.”
To reduce risk, Wichman called upon healthcare and critical infrastructure organizations need to prioritize building an impenetrable identity fortress. “That means continuously monitoring identity systems to uncover potential weak spots or early signs of abuse, creating stricter authorization privileges with routine audits, and proactively preparing an identity recovery plan in the event something slips through the cracks and becomes compromised. This plays a critical role in accelerating recovery.”
Trellix outlines several measures to help neutralize the CrazyHunter ransomware. Organizations should secure Active Directory by enforcing multi-factor authentication across domain accounts and controlling Group Policy Object modification rights to reduce the risk of credential theft and payload distribution through SharpGPOAbuse. Evasion tactics should be addressed to counter antivirus killers and ransomware payloads, while also blocking bring-your-own-vulnerable-driver attacks that exploit flawed drivers for privilege escalation and security shutdown.
Strong recovery capabilities are equally critical. Organizations should implement a robust backup strategy that includes off-site and offline storage to ensure backups remain immutable and inaccessible to ransomware, and they should regularly test incident response plans to confirm effective recovery after an attack.
Finally, lateral movement should be restricted through network segmentation and strict access controls, limiting the ransomware’s ability to spread rapidly across the environment, particularly through compromised Active Directory credentials and Group Policy Objects.
