Full Report
CrazyHunter is a newly emerged ransomware group that has rapidly gained attention for its focused attacks on Taiwan’s critical sectors, particularly healthcare, education, and manufacturing. The group’s operations demonstrate a high level of sophistication, leveraging both adv...
Analysis Summary
# Threat Actor: CrazyHunter
## Attribution & Identity
Newly emerged ransomware group targeting Taiwan. No specific long-term attribution is provided beyond the group name "CrazyHunter operator."
## Activity Summary
CrazyHunter has recently gained rapid attention due to focused ransomware operations targeting critical sectors in Taiwan since January. The group deploys ransomware using customized payloads resulting in network encryption.
## Tactics, Techniques & Procedures
- Bring Your Own Vulnerable Driver (BYOVD) technique used specifically to disable security solutions.
- Exploiting the **Zemana Anti-Malware driver (_zam64.sys_)** using the tool **ZammoCide**.
- Leveraging **SharpGPOAbuse** for lateral movement and privilege escalation by manipulating Group Policy Objects.
- Execution via layered batch scripts and fallback mechanisms.
- Leveraging approximately 80% open-source tools retrieved from GitHub, along with advanced evasion tactics.
## Targeting
- Sectors: Healthcare, Education, Manufacturing (Critical Sectors).
- Geography: Taiwan.
- Victims: Not explicitly named beyond the targeted sectors.
## Tools & Infrastructure
- Malware families used: Customized version of **Prince ransomware** (written in Go).
- Observed Tools: Prince ransomware builder, ZammoCide, SharpGPOAbuse, file.exe (used for file monitoring/exfiltration).
- Infrastructure: **file.exe** appears to function as a custom exfiltration server component.
## Implications
CrazyHunter demonstrates a high level of observed sophistication, relying heavily on supply chain exploitation (using vulnerable third-party drivers) and custom tooling to achieve EDR/AV evasion. Their focus on critical infrastructure presents a high potential impact on Taiwanese societal functions.
## Mitigations
- Implement robust controls and monitoring specifically against the Bring Your Own Vulnerable Driver (BYOVD) technique.
- Investigate and block or patch the known vulnerable driver used ($\text{zam64.sys}$).
- Monitor for anomalous execution related to Group Policy Object manipulation (e.g., use of `SharpGPOAbuse`).
- Validate the integrity and security stack effectiveness against heavily modified/customized payloads written in languages like Go.