CrazyHunter Ransomware Hits Taiwan Healthcare Sector

A ransomware operation calling itself CrazyHunter has claimed at least six healthcare organizations in Taiwan as victims. The group uses bring-your-own-vulnerable-driver (BYOVD) attacks to disable endpoint security before deploying encryption—a technique that's become standard among sophisticated ransomware operators. Healthcare's combination of sensitive data and operational urgency makes it an attractive target.

CrazyHunter emerged recently with a data leak site listing ten victims, all located in Taiwan. The healthcare focus suggests deliberate targeting rather than opportunistic attacks.

Attack Methodology

CrazyHunter compromises vulnerable Active Directory environments for initial access. Once inside, the attackers abuse Group Policy Objects using a tool called SharpGPOAbuse to push their ransomware across all connected systems simultaneously. This technique accelerates encryption by using the organization's own management infrastructure against it.

The BYOVD technique is particularly effective. CrazyHunter deploys a weaponized version of the Zemana anti-malware driver (zam64.sys). This legitimate driver contains a vulnerability that attackers exploit to gain kernel-level access. From the kernel, they terminate security software processes before the encryption payload runs.

With endpoint protection disabled, the ransomware encrypts files without triggering alerts. Security teams often discover the attack only when ransom notes appear or systems become unresponsive.

Technical Analysis

CrazyHunter derives from the Prince ransomware builder, an open-source project that surfaced in mid-2024. The Go-based ransomware targets Windows systems and uses ChaCha20 stream cipher for encryption.

The encryption pattern—one byte encrypted, two bytes left unmodified—trades thoroughness for speed. Encrypting every byte takes time. This 1:2 pattern renders files unusable while completing encryption faster, reducing the window for detection and response.

Trend Micro researchers analyzed the group's toolkit and found approximately 80% consists of open-source tools:

• Prince Ransomware Builder - Core encryption payload
• ZammoCide - Driver-based security software termination
• SharpGPOAbuse - Group Policy manipulation for mass deployment

The reliance on public tools doesn't diminish effectiveness. These tools exist because they work. Combining them into a cohesive attack chain requires technical skill but not original malware development.

Why Healthcare

Hospitals can't simply shut down systems and rebuild from backups. Patient care depends on electronic health records, imaging systems, and monitoring equipment. Extended downtime creates patient safety risks. This operational pressure makes healthcare organizations more likely to pay ransoms.

Beyond urgency, healthcare data has inherent value. Protected health information sells on dark web markets. Medical records contain enough personal information for identity theft. Some attackers steal data for extortion leverage even when victims pay to decrypt files.

Taiwan's healthcare system has faced increased attention from threat actors. The island's geopolitical position and well-developed IT infrastructure make it a target for both criminal and state-sponsored operations. CrazyHunter's exclusive focus on Taiwanese victims raises questions about potential connections or motivations beyond pure profit.

The BYOVD Problem

Bring-your-own-vulnerable-driver attacks have become mainstream in ransomware operations. Attackers load legitimate but vulnerable drivers onto target systems, then exploit driver vulnerabilities to gain kernel access. From kernel mode, they can terminate any process—including security software.

The technique works because Windows trusts signed drivers. The Zemana driver CrazyHunter uses carries valid signatures. Security products struggle to distinguish between legitimate driver loading and malicious exploitation.

Microsoft's Vulnerable Driver Blocklist attempts to address this by preventing known-bad drivers from loading. But blocklist updates lag behind attacker innovation, and many organizations haven't deployed the most current lists.

Previous Qilin ransomware attacks have also targeted healthcare organizations in recent weeks. The sector faces sustained pressure from multiple ransomware operations simultaneously.

Indicators of Compromise

CrazyHunter operations share common characteristics:

• Use of SharpGPOAbuse for lateral movement via Group Policy
• Deployment of zam64.sys (Zemana driver) prior to encryption
• ChaCha20 encryption with 1:2 byte pattern
• Ransom notes directing victims to a Tor-based leak site

Organizations should monitor for:

• Unexpected driver installations, particularly zam64.sys
• Group Policy modifications outside normal change windows
• Mass process terminations affecting security software
• ChaCha20-related activity in encryption monitoring

Defensive Recommendations

1. Implement Microsoft's Vulnerable Driver Blocklist and keep it current
2. Monitor Group Policy changes for unauthorized modifications
3. Restrict domain admin usage to limit GPO abuse opportunities
4. Segment critical healthcare systems from general IT networks
5. Test backup restoration to ensure recovery doesn't depend on ransom payment

Healthcare organizations should assume they're targets and plan accordingly. The combination of data value and operational urgency that makes healthcare attractive to attackers also makes preparation and resilience critical.