{"id":7471,"date":"2025-03-28T11:48:00","date_gmt":"2025-03-28T11:48:00","guid":{"rendered":"https:\/\/www.withsecure.com\/?post_type=lab_item&p=7471"},"modified":"2026-05-22T12:51:34","modified_gmt":"2026-05-22T11:51:34","slug":"crazyhunter-ransomeware","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/crazyhunter-ransomeware\/","title":{"rendered":"CrazyHunter Ransomeware"},"content":{"rendered":"\n
\n
\n

\n CrazyHunter: The Rising Threat of Open-Source Ransomware<\/span><\/h1>
\n
\n \n \n Data Protection <\/span>\n \n Ransomware <\/span>\n \n Threat intelligence <\/span>\n <\/span>\n \n 28 March, 2025 <\/span>\n <\/div>\n <\/div>\n <\/div>\n
\n
\n

\n Share this <\/p>\n

\n \n \n
\n
\n
\n \"\" <\/figure>\n <\/div>\n <\/div>\n<\/section>\n\n\n\n
\n
\n
\n

\n Authors <\/p>\n \n

\n
\n
\n \n \n <\/path>\n <\/path>\n <\/svg>\n <\/span>\n <\/div>\n
\n

Jeremy Ong<\/h3>\n \n \n <\/div>\n\n<\/div>\n\n <\/div>\n\n <\/div>\n\n
\n
\n

\n Share this story <\/p>\n

\n \n \n
\n
\n

Background<\/h2>\n

A ransomware attack<\/a>\u00a0on the Mackay Memorial hospital in Taiwan is the latest example of a growing number of incidents revolving around publicly available, offensive tools and code that threat actors are utilizing. The ransomware encryptor used in this incident, dubbed \u201cCrazyHunter\u201d, was built using a ransomware builder called \u201cPrince Ransomware\u201d which was publicly available on GitHub. WithSecure has observed a growing number of actors employing this specific ransomware builder in ransomware attacks. There are a number of \u2018lone wolf\u2019 ransomware events that do not seem to use ransomware-as-a -service, affiliate models [read about that here<\/a>]. As such, these can often be under-reported as we \u2013 as an industry \u2013 tend to focus on \u2018big game\u2019, more productive and attributable ransomware \u201cfranchises\u201d. \u00a0The purpose of this blog is to provide some technical analysis into the Prince Ransomware builder, and the tactics, techniques and procedures (TTP) behind the Mackay Memorial Hospital \u2013 and likely other Taiwanese \u2013 incidents.<\/p>\n

\n

Summary of the Incident<\/h2>\n

As noted in the report by\u00a0CMMedia<\/a>, the incident at Mackay Memorial Hospital Taiwan began on 9th<\/sup>\u00a0February 2025. The threat actor began by infecting a small number of computers, probably to gauage the hospital’s network\u00a0defence. Upon seeing no or limited security, the threat actor continued their attack, laterally moving across the entire hospital network before detonating the ransomware encryptor. This resulted in the encryption\u00a0of over 600 devices across two district branches, Taipei and Tamsui. The encryption of files caused key systems to crash and prevented staff access to patient data.<\/p>\n

The initial point of entry was reported as a USB device inserted into a computer within the network (reportedly by a staff member). A physical initial access vector (IAV) is relatively rare in ransomware incidents, however, there is some precedent of pre-infected USB devices propagating malware. Reports of this incident did not state what the first stage malware dropped by the USB device was, and WithSecure has been unable to ascertain it.<\/p>\n

WithSecure was able to detect a portion of the malware artifacts on\u00a0VirusTotal<\/a>\u00a0that were likely used to conduct the attack, allowing for further analysis on the tools deployed in this incident. The artifacts were bundled in a file called \u201cbb2.zip\u201d which was uploaded to the platform multiple times, twice from Taiwan.<\/p>\n

The file called \u201cbb2.zip\u201d which was dropped in the \u201cC:\\Users\\Public\u201d directory, contained the following files:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
File Name<\/b><\/td>\nDescription<\/b><\/td>\n<\/tr>\n
bb.exe<\/td>\nShellcode loader which loads \u201ccrazyhunter.sys\u201d<\/td>\n<\/tr>\n
crazyhunter.exe<\/td>\nA ransomware encryptor built with \u201cPrince Ransomware\u201d builder<\/td>\n<\/tr>\n
crazyhunter.sys<\/td>\nA shellcode binary file based on \u201ccrazyhunter.exe\u201d<\/td>\n<\/tr>\n
file.exe<\/td>\nA custom exfiltration tool<\/td>\n<\/tr>\n
go.exe<\/td>\nA defence evasion tool<\/td>\n<\/tr>\n
go2.exe<\/td>\nA defence evasion tool<\/td>\n<\/tr>\n
go3.exe<\/td>\nA ransomware encryptor built with \u201cPrince Ransomware\u201d builder, same as \u201ccrazyhunter.exe\u201d<\/td>\n<\/tr>\n
gpo.exe<\/td>\nSharpGPOAbuse tool used for lateral movement<\/td>\n<\/tr>\n
ru.bat<\/td>\nA batch script file used to start the encryption process<\/td>\n<\/tr>\n
zam64.sys<\/td>\nA vulnerable Zemana Anti-Logger kernel driver<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
\n

 <\/p>\n

Artifact Analysis<\/h2>\n

Overview<\/h3>\n

A batch script, \u201cru.bat\u201d, found in the malware artifacts, was almost certainly used by the threat actor to automate the execution of several malicious actions. The script was not obfuscated in any way, and seeks to perform the following actions:<\/p>\n