CrazyHunter

CrazyHunter is a Go-based ransomware family targeting Windows systems. Multiple sources in the provided content describe it as a fork of Prince ransomware, first observed in mid-2024, and tracked by Trellix as a rapidly evolving threat. It has primarily targeted organizations in Taiwan, with at least six known victims, most notably hospitals and other healthcare entities.

Reported initial access commonly involves exploiting weaknesses in Active Directory environments, including weak domain account passwords. For propagation, operators abuse Group Policy Objects using SharpGPOAbuse to spread rapidly across enterprise networks. The malware also uses a bring-your-own-vulnerable-driver technique for privilege escalation and defense evasion, deploying a modified Zemana anti-malware driver, zam64.sys (reported as version 2.18.371.0), to terminate security processes.

The deployment chain described in the content includes ru.bat orchestrating components such as go.exe and go2.exe as AV-killer tools, go3.exe as the primary encryptor, bb.exe as a Donut loader for in-memory execution of crazyhunter.sys shellcode, and crazyhunter.exe as a backup encryptor. A fallback anti-malware interference component, av-1m.exe, may also be used. The ransomware enumerates drives, applies exclusion lists for specific extensions, filenames, and directories, and encrypts files using ChaCha20 with a partial-encryption scheme that encrypts one byte and skips the next two. Per-file keys and nonces are protected with ECIES. Encrypted files are typically renamed with a .hunter or .Hunter extension.

CrazyHunter maintains a data leak site and uses double-extortion pressure by threatening to publish stolen victim data. The content states the leak site includes a “Strategic Manifesto” and references “Premium Criminal Branding Services.” Victim communications are conducted via email and Telegram, with cryptocurrency demanded for payment. Reported contact and infrastructure indicators include attack-tw1337@proton.me, Telegram @Magic13377, and the Tor onion address 7i6sfmfvmqfaabjksckwrttu3nsbopl3xev2vbxbkghsivs5lqp4yeqd.onion. Additional reported operational tooling includes file.exe, described as either a local file server on port 9999 or a monitoring/deletion tool used during extortion, and a wallpaper-change routine that downloads an image from ncmep.org.

High-confidence indicators and artifacts mentioned in the content include zam64.sys, ru.bat, go.exe, go2.exe, go3.exe, bb.exe, crazyhunter.sys, crazyhunter.exe, av-1m.exe, gpo.exe, file.exe, the .hunter/.Hunter file extension, the Proton email address, the Telegram handle, the onion site, and the wallpaper URL hosted on ncmep.org. One source in the content also notes Taiwanese authorities linked the attacks to a Chinese security firm, but attribution details are limited in the provided material.