A hacking group known as CrazyHunter has been at the forefront of targeting crucial sectors in Taiwan, such as healthcare, education, and industry. Their method of choice involves sophisticated ransomware attacks utilizing open-source tools readily available on GitHub. This approach not only reduces the cost of their operations but also allows them to execute attacks with a high level of efficiency since early 2025.
CrazyHunter’s unique attack strategy revolves around the Bring Your Own Vulnerable Driver (BYOVD) technique, enabling them to bypass security defenses. By exploiting existing vulnerable drivers on the victim’s systems, they can easily disable security measures and deploy ransomware without attracting much attention. This level of technical proficiency mirrors that of advanced persistent threat (APT) groups, setting them apart from conventional ransomware operators.
Recent research by Trend Micro has revealed that a substantial portion of CrazyHunter’s attack tools is derived from GitHub and then tweaked to maximize their impact. Approximately 80% of their toolkit comprises publicly sourced materials, making their campaign accessible to a broader range of potential threat actors. With a specific focus on Taiwanese organizations, evidenced by victim data and email addresses associated with Taiwan-based domains, CrazyHunter employs a variety of tools post-infiltration to circumvent security protocols, maintain control, and encrypt files using a customized ransomware payload.
The execution of their attacks is meticulously orchestrated through a batch script that coordinates the deployment of various components in a precise sequence. Initially, this script targets security products by exploiting vulnerabilities in the Zemana Anti-Malware driver, paving the way for the loading of the ransomware driver and subsequent encryption process. The ransomware itself, a modified version of the Prince ransomware builder, affixes the “.Hunter” extension to encrypted files while leaving ransom demands on the victim’s desktops. By implementing redundant measures, CrazyHunter ensures the continuity of their ransomware deployment by incorporating alternative pathways if primary methods fail.
In conclusion, CrazyHunter’s systematic approach to ransomware attacks underscores their technical prowess and strategic acumen, blurring the lines between conventional cybercriminal activity and advanced persistent threats. By leveraging open-source tools from platforms like GitHub, they have not only streamlined their operations but also democratized access to these malicious capabilities, posing a significant threat to organizations, particularly in Taiwan. As the cybersecurity landscape continues to evolve, it is imperative for entities to bolster their defenses against such sophisticated adversaries to safeguard their critical infrastructure and sensitive data.
Reference: https://cybermaterial.com/systex-corporation-reports-ransomware-attack/