CrazyHunter ransomware escalates with advanced intrusion tactics six Taiwan healthcare victims confirmed Industrial Cyber

pNew research from Trellix detailed that CrazyHunter ransomware has emerged as a serious and escalating threat underscoring the growing sophistication of modern cybercriminal operations Trellix has tracked the malware since its first appearance observing rapid technical evolution and increasing activity To date the primary targets have been healthcare organizations in Taiwan with six confirmed victims Technically CrazyHunter is a fork of the Prince ransomware that surfaced in mid2024 but it incorporates meaningful enhancements particularly in network intrusion methods and antimalware evasion capabilitiesppCrazyHunter a Godeveloped ransomware employs advanced encryption and delivery methods targeted against Windowsbased machines It uses a data leak site to publicize victim information Aswath A a Trellix researcher wrote in a company blog post last week According to available information the primary industry targeted by CrazyHunter ransomware is the healthcare sector with repeated attacks on hospitals in Taiwan This preference is likely due to the critical nature of healthcare services where vast amounts of sensitive patient data are held by these organizations and downtime can have severe consequencesppAswath added that the primary targets of the CrazyHunter ransomware have been companies in Taiwan with six organizations known to be compromised The attackers maintain a data leak site where they publicize information about their victims particularly those who do not cooperate ppNoting that CrazyHunters attack methodology is ruthlessly efficient Aswath identified that the adversaries demonstrated a deep understanding of enterprise network vulnerabilities ppA typical CrazyHunter ransomware attack unfolds in a series of distinct stages The initial compromise often begins with the exploitation of weaknesses in an organizations Active Directory infrastructure most commonly through weak passwords associated with domain accounts Once access is established attackers move laterally and propagate rapidly across the environment In observed CrazyHunter incidents this phase frequently involves the use of SharpGPOAbuse to deploy the ransomware payload via Group Policy Objects enabling fast distribution to multiple systems while relying on compromised Active Directory credentials to sustain the spreadppAfter gaining broad access the attackers focus on privilege escalation to disable defenses and consolidate control CrazyHunter is notable for its use of a bringyourownvulnerabledriver technique in which a modified Zemana antimalware driver zam64dotsys is weaponized to elevate privileges and bypass security mechanisms that would normally block such activity The attack concludes with widespread encryption of files across the network rendering critical data inaccessible followed by a ransom demand that seeks payment in exchange for decryption keysppA concerning trend in modern cyberattacks involves multistage operations where initial actions are strategically designed to weaken or eliminate security measures before the primary malicious payload is executed Aswath wrote Examining a specific attack flow as depicted in a particular batch script reveals a deliberate and sophisticated approach to compromising systems This analysis will dissect the scripts actions the underlying technical mechanisms employed to disable antimalware software and the context surrounding the final deployment of the CrazyHunter ransomwareppAt its core CrazyHunter ransomware employs a hybrid encryption strategy that combines symmetric and asymmetric algorithms to secure files This duallayered approach is inherited from its foundation the Prince Ransomware builder an opensource tool written in GoppFor the primary task of encrypting file content CrazyHunter utilizes the ChaCha20 stream cipher according to Aswath A distinctive feature of this ransomware is its partial encryption Instead of encrypting the entire file it encrypts one byte of data and then skips the next two leaving them in their original unencrypted state This 12 encryption ratio is a deliberate design choice from the underlying Prince builder ppHe noted that the likely rationale for this technique is to increase the speed of the encryption process allowing the ransomware to compromise a larger number of files in less time and potentially evade security solutions that monitor for heavy sustained disk IO operationsppWhile ChaCha20 encrypts the data the security of the entire operation depends on protecting the unique key and nonce generated for each file To achieve this CrazyHunter employs the Elliptic Curve Integrated Encryption Scheme ECIES ECIES is an efficient and secure asymmetric encryption method that provides robust security with shorter key lengths than other algorithms such as RSA This method ensures that decryption is impossible without the corresponding ECIES private key which remains exclusively in the attackers possession Encrypted files are typically renamed with a dotHunter extensionppTrellix manually decoded the shellcode using the opensource tool donutdecryptor on GitHub and discovered that it was the same godotexe payloadppAnalysis revealed that the filedotexe artifact possesses dual functionality since it can transform a compromised machine into a file server or act as a filemonitoring and deletion tool When operating as a file server it exposes the designated directory defaulting to the current via localhost on a specified port default 9999 In monitoring mode it systematically scans and deletes files matching predefined extensions within the directory and its subdirectoriesppJeff Wichman director of incident response at Semperis sees these attacks as part of a broader shift in which operations are increasingly used as a tool of state pressure across the region ppThese latest attacks on Taiwan healthcare organizations speak to a larger shift happening right now where operations are used as a tool of state pressure across the region Wichman wrote in an emailed statement Rather than opportunistic disruption these campaigns increasingly focus on identity systems that underpin critical infrastructure entities including healthcare organizations Attackers understand that once identity is compromised lateral movement privilege escalation and widespread disruption become far easier to execute  ppTo reduce risk Wichman called upon healthcare and critical infrastructure organizations need to prioritize building an impenetrable identity fortress That means continuously monitoring identity systems to uncover potential weak spots or early signs of abuse creating stricter authorization privileges with routine audits and proactively preparing an identity recovery plan in the event something slips through the cracks and becomes compromised This plays a critical role in accelerating recovery ppTrellix outlines several measures to help neutralize the CrazyHunter ransomware Organizations should secure Active Directory by enforcing multifactor authentication across domain accounts and controlling Group Policy Object modification rights to reduce the risk of credential theft and payload distribution through SharpGPOAbuse Evasion tactics should be addressed to counter antivirus killers and ransomware payloads while also blocking bringyourownvulnerabledriver attacks that exploit flawed drivers for privilege escalation and security shutdownppStrong recovery capabilities are equally critical Organizations should implement a robust backup strategy that includes offsite and offline storage to ensure backups remain immutable and inaccessible to ransomware and they should regularly test incident response plans to confirm effective recovery after an attack ppFinally lateral movement should be restricted through network segmentation and strict access controls limiting the ransomwares ability to spread rapidly across the environment particularly through compromised Active Directory credentials and Group Policy ObjectsppAll rights reserved Terms and ConditionsppPrivacy Policy Cookie Policyp