A new ransomware group called CrazyHunter has recently emerged as a significant threat, particularly targeting organizations in Taiwan. The group has been active in the healthcare, education, and industrial sectors of Taiwan, using sophisticated cyber techniques to disrupt essential services.
CrazyHunter’s toolkit consists mainly of open-source tools obtained from GitHub, with about 80% of their arsenal being open-source. They have incorporated tools like the Prince Ransomware Builder and ZammoCide to enhance their capabilities significantly. One of the key strategies employed by CrazyHunter is the use of the Bring Your Own Vulnerable Driver (BYOVD) method, allowing them to exploit vulnerabilities in existing system drivers to bypass security measures.
The group has focused its attacks exclusively on Taiwan, establishing a public presence through a leak site where they initially disclosed ten victims, all based in the region. According to reports, the group has targeted critical sectors such as hospitals, educational institutions, and industrial companies, indicating a strategic intent to compromise organizations with valuable and sensitive operations. The group’s operations, tracked since January, show a deliberate pattern of cyber-attacks utilizing tools for evasion, privilege escalation, and direct impact through ransomware.
To evade detection, CrazyHunter has adapted an open-source process killer called ZammoCide into a powerful anti-virus (AV) and endpoint detection and response (EDR) killer. This tool leverages the vulnerable Zemana Anti-Malware driver to terminate security processes, allowing the group to carry out malicious activities undetected. Their ransomware, developed using the Go programming language, uses advanced encryption techniques to lock files with a “.Hunter” extension, along with creating ransom notes and altering the victim’s desktop wallpaper.
In response to such advanced threats, organizations are advised to implement robust cybersecurity measures, including access control, regular system updates, data backups, endpoint protection, and user training to recognize and respond to potential threats. As ransomware groups evolve and adopt more sophisticated tactics, proactive cybersecurity measures become essential to mitigate risks and protect sensitive data.
The use of open-source tools for malicious purposes highlights the importance of vigilance in managing and securing resources to prevent misuse. As the cybersecurity landscape continues to evolve, organizations must stay prepared and adapt their defenses to counter emerging threats effectively. In an ever-changing and dynamic threat environment, staying informed and implementing best practices is crucial to safeguarding against cyber threats.