Ddos 
The victimology page from the CrazyHunter site
A new, highly aggressive ransomware strain is cutting a swath through the healthcare sector, leaving hospitals and critical organizations scrambling to protect their data. Security researchers at Trellix have released an in-depth analysis of CrazyHunter, a sophisticated threat that combines “network compromise techniques” with advanced anti-malware evasion to devastate its victims.
First appearing in mid-2024 as a fork of the Prince ransomware, CrazyHunter has rapidly evolved into a “significant and concerning threat”. Its primary hunting ground appears to be Taiwan, where it has already compromised six organizations, including multiple hospitals.
The malware’s methodology is described as “ruthlessly efficient,” designed to dismantle enterprise defenses before locking down files. The attack typically begins by exploiting weak passwords in Active Directory environments.
Once inside, the attackers use a tool called SharpGPOAbuse to weaponize Group Policy Objects (GPOs), allowing the ransomware to “spread rapidly across the network to multiple systems” like a digital wildfire.
But the most striking feature is its ability to kill security software. Using a “Bring-Your-Own-Vulnerable-Driver” (BYOVD) technique, the attackers deploy a modified anti-malware driver (zam64.sys) to terminate legitimate antivirus processes.
“By weaponizing a modified Zemana anti-malware driver… the attackers elevate their privileges, effectively bypassing security controls that would otherwise prevent them from succeeding,” the report explains.
When it comes time to lock the files, CrazyHunter prioritizes speed. It uses a ChaCha20 stream cipher with a unique twist: partial encryption. Instead of encrypting the entire file, “it encrypts one byte of data and then skips the next two,” achieving a 1:2 encryption ratio.
This design choice allows the ransomware to “compromise a larger number of files in less time and potentially evade security solutions that monitor for heavy, sustained disk I/O operations”.
The group behind CrazyHunter is not shy about their motives. Their data leak site features a “Strategic Manifesto” claiming they want to be “greedy like REvil, not loud like LockBit”. They offer “Premium Criminal Branding Services” and threaten to publicize victim data if a ransom isn’t paid.
Communication channels include email and Telegram, with ransoms demanded in cryptocurrency. The attackers even utilize a dual-purpose tool, file.exe, which can transform a victim’s machine into a file server or act as a “monitoring and deletion tool” during the extortion process.
The focus on the healthcare sector is a calculated move. Trellix researchers note that this preference is likely due to the “critical nature of healthcare services, where vast amounts of sensitive patient data are held… and downtime can have severe consequences”.
Related Posts:
- Greedy Sponge Reemerges: New AllaKore RAT Variant and SystemBC Target Mexico’s Financial Sector
- Stealthy XML Backdoor Haunts Magento Stores – New Threat Exploits Critical Vulnerability (CVE-2024-20720)
- “Goldoon” Botnet Exploits Unpatched D-Link Devices
- Data of Over 100 Million Individuals Exposed in Change Healthcare Cyberattack
Donate