The CrazyHunter ransomware group gained attention in early 2025 due to its aggressive targeting of Taiwan’s healthcare sector. First observed in action on February 9, 2025, the group launched its debut attack against a Taiwanese medical institution.  

Since then, it has maintained a consistent pattern of assaults focused on healthcare and other critical infrastructure organizations within Taiwan. What sets CrazyHunter apart from many new ransomware groups is its strategic deployment of advanced attack techniques and its focused regional targeting, which suggests a level of planning and technical knowledge beyond that of typical financially motivated cybercriminal operations. 

The CrazyHunter ransomware group has been observed using a customized variant of the open-source ransomware “Prince”, a malware family originally written in Go and designed with educational intentions.

Prince ransomware utilizes a combination of ChaCha20 and ECIES encryption algorithms, making it highly effective at rendering files inaccessible without a dedicated decryptor. Despite its open-source roots, CrazyHunter has weaponized it for real-world attacks by modifying the code for stealth and destruction. 

The group’s attack chain typically begins with compromising Active Directory (AD) accounts, often through the use of weak or reused passwords. Once initial access is secured, they escalate privileges using Bring-Your-Own-Vulnerable-Driver (BYOVD) methods. In particular, they exploit vulnerabilities in the Zemana anti-malware driver (zam64.sys) to gain elevated privileges on compromised systems. 

From there, CrazyHunter spreads its payload across the victim’s network using Group Policy Object (GPO) abuse. By leveraging a tool known as SharpGPOAbuse, they are able to deploy the ransomware broadly and with administrative control, infecting multiple endpoints simultaneously. This combination of privilege escalation and automated lateral movement enables the group to act quickly and with maximum impact. 

Target Profile and Geographic Focus 

So far, all confirmed attacks by the CrazyHunter ransomware group have taken place in Taiwan, with a noticeable concentration on healthcare providers, including hospitals and clinics. This targeted focus is highly effective because the healthcare sector is particularly vulnerable to disruption due to its reliance on continuous access to patient data and operational systems.  

While their motives appear primarily financial, the geographic concentration and advanced tooling have prompted some experts to consider whether the group might have indirect links to larger, more established threat ecosystems. 

Evading Detection and Ensuring Persistence 

Defense evasion is a cornerstone of CrazyHunter’s operations. The ransomware binary is often disguised to appear as a legitimate Windows process, allowing it to bypass endpoint protection and monitoring tools. The group has also been known to digitally sign malicious drivers to bypass driver integrity checks—a technique more commonly associated with nation-state actors. 

To maintain persistence and obscure forensic evidence, CrazyHunter has employed a range of tactics, including clearing logs, deleting backups, and continuing to operate using compromised domain credentials. In some cases, it appears they may have used code signing certificates obtained through illicit means or purchased on underground forums to legitimize their payloads. 

Communication with their Command-and-Control (C2) infrastructure occurs via standard web traffic, making it difficult to distinguish from normal user activity. 

Data Theft and Public Shaming 

CrazyHunter doesn’t just stop at encrypting data. Like many modern ransomware gangs, they adopt a double extortion strategy. If a victim refuses to pay, the group publicly threatens them with data leaks on a Dedicated Leak Site (DLS). This website serves both as a pressure tactic and a showcase of past victims, increasing reputational damage and raising the stakes for non-compliance. 

In addition to their leak site, the CrazyHunter ransomware group has been active on BreachForums, a well-known cybercrime marketplace, where they operate under multiple aliases to sell or auction off stolen data. This shows a clear focus on financial gain, though traces of simplified Chinese language strings found in their malware suggest potential ties to Chinese-speaking actors. However, there is currently no direct evidence linking the group to any government or state-sponsored campaign. 

Conclusion 

The rise of the CrazyHunter ransomware group highlights the technical prowess of modern ransomware collectives, especially those targeting critical sectors like healthcare. By combining open-source tools with advanced techniques such as Active Directory abuse and privilege escalation via vulnerable drivers, the group poses a serious risk to Taiwanese institutions—and potentially beyond. 

To fight against such threats, organizations must enhance their security posture through stronger AD controls, GPO monitoring, and endpoint detection solutions. Cyble, a global leader in AI-driven threat intelligence, offers real-time visibility into cyber risks through platforms like Cyble Vision and Cyble Hawk. These tools help organizations detect threats early, manage their attack surface, and stay protected from cyber adversaries. 

Book a Free Demo to see Cyble in action. 

Mitigation and Defense Strategies 

• Strengthen Active Directory (AD) Security: Enforce Multi-Factor Authentication (MFA) for AD accounts and implement strong password policies. 

• Patch Vulnerabilities and Mitigate BYOVD Attacks: Apply security patches regularly, especially for drivers, and block unapproved or unsigned drivers. 

• Enhance Endpoint Detection and Response (EDR): Deploy advanced EDR solutions to detect malicious activities and set up automated responses. 

• Monitor Group Policy Objects (GPO): Regularly audit GPO changes for unauthorized modifications and restrict modification access to trusted administrators. 

• Use Application Whitelisting and Code Signing: Enforce application whitelisting to block unapproved apps and verify the integrity of code and drivers with trusted signatures. 

• Backup Data and Test Recovery Procedures: Regularly back up critical data, store it offline, and conduct recovery drills. 

• Network Segmentation and Least Privilege Access: Segment critical systems to limit ransomware spread and implement least privilege access to minimize admin rights. 

• Conduct Regular Security Awareness Training: Train employees on phishing risks and run simulated phishing exercises to improve detection. 

• Enhance Threat Intelligence Capabilities: Use platforms like Cyble Vision for threat monitoring and stay updated on attack tactics. 

MITRE Attack Techniques Associated with the CrazyHunter Ransomware Group 

• Domain Accounts (T1078.002): The CrazyHunter ransomware group targets victims by compromising Active Directory (AD) accounts using weak passwords to gain initial access. 

• Phishing (T1566): Possible initial infection vector, though not explicitly confirmed. 

• Malicious File (T1204.002): Ransomware payload executed after gaining network access. 

• Domain Accounts (T1078.002): Attackers used compromised AD accounts with weak passwords for persistent access. 

• Exploitation for Privilege Escalation (T1068): Utilized Bring-Your-Own-Vulnerable-Driver (BYOVD) methods to escalate privileges with a modified Zemana driver (zam64.sys). 

• Domain Accounts (T1078.002): Reused compromised AD accounts for privilege escalation. 

• Group Policy Modification (T1484.001): Used SharpGPOAbuse to deploy malware through Group Policy Objects (GPOs). 

• Masquerading (T1036): Ransomware disguised as a legitimate system process to evade detection. 

• Domain Accounts (T1078.002): Attackers continued using compromised AD accounts for defense evasion. 

• Group Policy Modification (T1484.001): Used GPO abuse to evade detection by spreading ransomware across the network. 

• Code Signing (T1553.002): Signed malicious drivers to bypass security controls and remain undetected. 

• Data Destruction (T1485): Attackers may have deleted backups or system logs to prevent recovery. 

• Data Encrypted for Impact (T1486): Data was encrypted to disrupt availability and render stored data inaccessible.