{
	"id": "8b0e13a2-b214-4610-bed1-b7526863028e",
	"created_at": "2026-04-06T00:06:28.3682Z",
	"updated_at": "2026-04-10T03:20:28.907277Z",
	"deleted_at": null,
	"sha1_hash": "7d5ce887dee556e3d55125f45ba38dc482e5dc83",
	"title": "CrazyHunter: The Rising Threat of Open-Source Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 391434,
	"plain_text": "CrazyHunter: The Rising Threat of Open-Source Ransomware\r\nArchived: 2026-04-05 17:20:15 UTC\r\nBackground\r\nA ransomware attack on the Mackay Memorial hospital in Taiwan is the latest example of a growing number of\r\nincidents revolving around publicly available, offensive tools and code that threat actors are utilizing. The\r\nransomware encryptor used in this incident, dubbed “CrazyHunter”, was built using a ransomware builder called\r\n“Prince Ransomware” which was publicly available on GitHub. WithSecure has observed a growing number of\r\nactors employing this specific ransomware builder in ransomware attacks. There are a number of ‘lone wolf’\r\nransomware events that do not seem to use ransomware-as-a -service, affiliate models [read about that here]. As\r\nsuch, these can often be under-reported as we – as an industry – tend to focus on ‘big game’, more productive and\r\nattributable ransomware “franchises”.  The purpose of this blog is to provide some technical analysis into the\r\nPrince Ransomware builder, and the tactics, techniques and procedures (TTP) behind the Mackay Memorial\r\nHospital – and likely other Taiwanese – incidents.\r\nSummary of the Incident\r\nAs noted in the report by CMMedia, the incident at Mackay Memorial Hospital Taiwan began on 9th February\r\n2025. The threat actor began by infecting a small number of computers, probably to gauage the hospital's\r\nnetwork defence. Upon seeing no or limited security, the threat actor continued their attack, laterally moving\r\nacross the entire hospital network before detonating the ransomware encryptor. This resulted in the encryption of\r\nover 600 devices across two district branches, Taipei and Tamsui. The encryption of files caused key systems to\r\ncrash and prevented staff access to patient data.\r\nThe initial point of entry was reported as a USB device inserted into a computer within the network (reportedly by\r\na staff member). A physical initial access vector (IAV) is relatively rare in ransomware incidents, however, there is\r\nsome precedent of pre-infected USB devices propagating malware. Reports of this incident did not state what the\r\nfirst stage malware dropped by the USB device was, and WithSecure has been unable to ascertain it.\r\nWithSecure was able to detect a portion of the malware artifacts on VirusTotal that were likely used to conduct the\r\nattack, allowing for further analysis on the tools deployed in this incident. The artifacts were bundled in a file\r\ncalled “bb2.zip” which was uploaded to the platform multiple times, twice from Taiwan.\r\nThe file called “bb2.zip” which was dropped in the “C:\\Users\\Public” directory, contained the following files:\r\nFile Name Description\r\nbb.exe Shellcode loader which loads “crazyhunter.sys”\r\nhttps://labs.withsecure.com/publications/crazyhunter-ransomware\r\nPage 1 of 10\n\ncrazyhunter.exe A ransomware encryptor built with “Prince Ransomware” builder\r\ncrazyhunter.sys A shellcode binary file based on “crazyhunter.exe”\r\nfile.exe A custom exfiltration tool\r\ngo.exe A defence evasion tool\r\ngo2.exe A defence evasion tool\r\ngo3.exe\r\nA ransomware encryptor built with “Prince Ransomware” builder, same as\r\n“crazyhunter.exe”\r\ngpo.exe SharpGPOAbuse tool used for lateral movement\r\nru.bat A batch script file used to start the encryption process\r\nzam64.sys A vulnerable Zemana Anti-Logger kernel driver\r\nArtifact Analysis\r\nOverview\r\nA batch script, “ru.bat”, found in the malware artifacts, was almost certainly used by the threat actor to automate\r\nthe execution of several malicious actions. The script was not obfuscated in any way, and seeks to perform the\r\nfollowing actions:\r\nRun “go2.exe”\r\nRun “go.exe”\r\nRun “go3.exe”\r\nRun “av-1m.exe” if “go.exe” is not running\r\nRun “bb.exe” and pass the driver file “crazyhunter.sys” as an argument\r\nRun “crazyhunter.exe” if “bb.exe” is not running\r\nhttps://labs.withsecure.com/publications/crazyhunter-ransomware\r\nPage 2 of 10\n\nFigure 1. File content of “ru.bat” batch script\r\nDefense Evasion\r\nThe threat actor employed a frequently used “Bring Your Own Vulnerable Driver” (BYOVD) technique to disable\r\nsecurity products on the systems. This is becoming increasingly common in ransomware attacks. This method\r\nallows the execution of malicious code with kernel-level privilege by exploiting signed and legitimate drivers with\r\nknown vulnerabilities. In this instance, “go2.exe” and “go.exe” are malware written in Go programming language\r\ndesigned to load a vulnerable version of Zemana Anti-Logger kernel driver, “zam64.sys”. This allows the\r\ntermination of security products, with “go2.exe” targeting Windows Defender and “go.exe” targeting both\r\nWindows Defender and Trend Micro products. The usage of two executables for this purpose may suggest an\r\nattempt by the threat actor to ensure the termination of the security products. However, it is also realistically\r\npossible that the threat actor is low skilled and unsure of what they are doing, relying on multiple tools to achieve\r\ntheir goal. The exploitation of Zemana vulnerable drivers is similar to the Terminator EDR tool sold by a Russian\r\nthreat actor, which loads the same vulnerable version of Zemana Anti-Logger kernel driver to disable security\r\nproducts.\r\nhttps://labs.withsecure.com/publications/crazyhunter-ransomware\r\nPage 3 of 10\n\nFigure 2. Targeted antivirus services\r\nhttps://labs.withsecure.com/publications/crazyhunter-ransomware\r\nPage 4 of 10\n\nAlthough the file “av-1m.exe” was not included in the malware artifacts, based on the file name and the check for\r\nwhether “go.exe” is running, it can be assumed that it was used to bypass AV as well.\r\nEncryption\r\nThe threat actor used an open-source ransomware builder (a tool to automate the creation of ransomware) written\r\nin the Go programming language called “Prince Ransomware”, which was freely available on GitHub. This is no\r\nlonger available on Github, however it can be retrieved from a snapshot of the builder repository. The builder\r\nutilizes both ChaCha20 and ECIES (Elliptic Curve Integrated Encryption Scheme) cryptography to encrypt files\r\nsecurely, making it more difficult to recover the encrypted files. This works by generating a unique ChaCha20 key\r\nand nonce for each file. The file is then encrypted using a pattern where 1 byte is encrypted, followed by 2 bytes\r\nleft unencrypted. The ChaCha20 key and nonce are then encrypted using an ECIES public key and added to the\r\nstart of file. The encrypter loops through all drives and directories on the system, ignoring blocklisted files,\r\ndirectories and extensions, to perform the encryption and drop the ransom note. The “CrazyHunter” encrypter was\r\nfound in the malware artifacts as “go3.exe” and “crazyhunter.exe”, which had the same file hashes.\r\nSince the builder was freely accessible and effective, other similar ransomware samples utilizing this builder have\r\nbeen found on VirusTotal. Other variants includes, Black (Prince), Wenda, UwU, and many others – in our\r\nopinion, also under-reported. The only difference between these variants lies in the file extension and the ransom\r\nnote dropped, which can be customized within the configuration file of the builder to fit the needs of the threat\r\nactors. The ransom note dropped by “CrazyHunter” is only slightly modified, which gives an indication as to how\r\nready ‘out of the box’ this ransomware code is. The threat actor simply needs to edit a single configuration file to\r\nessentially deploy a “fresh” ransomware brand.\r\n Figure\r\n3. Default ransom note template by Prince Ransomware\r\n Figure\r\n4. Ransom note left by CrazyHunter\r\nAnother file found in the malware artifacts was “bb.exe”, which loads a binary shellcode file called\r\n“crazyhunter.sys”. Analysis of the binary shellcode reveals the use of a tool called Donut, which generates\r\nshellcode from PE files. In this case, the standalone “CrazyHunter” encrypter (go3.exe and crazyhunter.exe)\r\nmentioned above was converted to shellcode and stored as “crazyhunter.sys”, which is then loaded into memory\r\nhttps://labs.withsecure.com/publications/crazyhunter-ransomware\r\nPage 5 of 10\n\nusing “bb.exe”. This technique was likely used to evade detection from security products in case the standalone\r\nencrypter was detected. The resulting encryption and ransom note would be the same as those produced by the\r\nstandalone encrypter (“go3.exe” and “crazyhunter.exe”).\r\nLateral Movement\r\nBased on the malware artifact, “gpo.exe”, which is SharpGPOAbuse, an open-source offensive tool available on\r\nGitHub, it can be said that the threat actor used it to spread the ransomware to other computers on the network.\r\nThis is performed by exploiting the user’s edit rights on a Group Policy Object (GPO) to compromise the objects\r\ncontrolled by that GPO. The threat actor can then setup malicious scripts configured to run automatically during\r\nsystem startup, user logon, or at a scheduled time.\r\nAdditional Tooling\r\nOne of the artifacts called “file.exe” was particularly interesting. Further analysis revealed that it is a tool capable\r\nof hosting/setting up the victim’s machine as a file server or to monitor for files with specific extensions in the\r\nspecified directory (default is current directory), including subdirectories. When set to function as a file server, it\r\nwill open the specified port (default is 9999) at the specified directory (default is current directory). This can then\r\nbe accessed on “localhost:\u003cport\u003e”. Additionally, when configured to monitor files, it will periodically scan the\r\nspecified directory for files with the monitored extensions and delete any matching files. Based on its capabilities,\r\nit is almost certain that this tool is used for data exfiltration and to prevent any recovery actions by monitoring and\r\ndeleting specific file extensions like .exe or .ps1.\r\n Figure\r\n5. Command line arguments of “file.exe”\r\nOther Incidents\r\nThere is limited information available regarding CrazyHunter, but their attacks first started in early 2025. At the\r\ntime of writing, they have been involved in multiple incidents, mostly targeting hospitals and some industrial\r\nsectors in Taiwan. This pattern suggests that the actor might be a local actor. The use of USB device as the initial\r\nhttps://labs.withsecure.com/publications/crazyhunter-ransomware\r\nPage 6 of 10\n\naccess vector (IAV) in Mackay Memorial Hospital incident further indicates that the threat actor is likely based in\r\nTaiwan. As a result, the likelihood of this group targeting other geographical regions appears to be relatively low\r\nat the time of writing.\r\nMitigation\r\nTo mitigate the risk of ransomware attacks similar to the one at Mackay Memorial Hospital, organizations should\r\nimplement strong endpoint protection, regularly update antivirus software, and secure against untrusted USB\r\ndevices by disabling ports where possible and scanning them for malware. Proper network segmentation and\r\naccess controls can limit the spread of malware. Continuous monitoring and auditing of network traffic and\r\nsystem logs can help identify and address potential weaknesses early on.\r\nConclusion\r\nThe incident at Mackay Memorial Hospital in Taiwan showcased how accessible and effective publicly available\r\ntools and malwares can be, enabling a wide range of threat actors to perform cyberattacks. Notably, this includes\r\nmultiple tools like SharpGPOAbuse and Donut, as well as the Prince Ransomware builder, used specifically in\r\nthis incident. Such readily available resources greatly lower the barrier for ransomware actors, allowing even\r\nthose with limited technical expertise to launch complex attacks. \r\nFurthermore, attributing such attacks to a specific ransomware affiliate or collective is particularly challenging\r\ndue to the widespread availability and use of these open-source tools enabling lone-wolf attackers. Throughout\r\n2024, WithSecure could not attribute 38% of its ransomware incidents to an identifiable Ransomware-as-a-service\r\nfranchises an(other) indication of the increase in lone-wolf ransomware events enabled by readily available\r\noffensive tooling. Moreover, there are numerous other cases of leaked ransomware enablers being deployed,\r\nnotably leaked builders like Lockbit and Babuk, which WithSecure often see deployed by ransomware actors not\r\naffiliated to any particular RaaS.\r\nThe initial access vector (IAV) for this incident was reportedly a USB device, which is uncommon in ransomware\r\nincidents. The physical nature of this IAV, combined with the use of open-source tools and ransomware, and the\r\nabsence of links to other known attacks, suggests that this might be the work of a local “lone wolf” ransomware\r\nthreat actor targeting businesses and organization exclusively in Taiwan. However, this remains inconclusive due\r\nto the limited data available at the time of investigation and writing. Whether the incident was accidental or\r\ninvolved a staff member, it highlights the importance of implementing physical security measures for networked\r\ndevices and data ports in public buildings like hospitals.\r\nTTP\r\nTactic Techniques Description\r\nExecution T1059.003 – Command and\r\nScripting Interpreter: Windows\r\nThe threat actor used a batch script to automate the\r\nexecution of malicious actions.\r\nhttps://labs.withsecure.com/publications/crazyhunter-ransomware\r\nPage 7 of 10\n\nCommand Shell\r\nPersistence\r\nT1547 – Boot or Logon\r\nAutoStart Execution\r\nThe threat actor used SharpGPOAbuse to setup\r\nmalicious script configured to run during startup or user\r\nlogon.\r\nPrivilege\r\nEscalation\r\nT1068 – Exploitation for\r\nPrivilege Escalation\r\nThe threat actor used two executables that load a\r\nvulnerable driver to exploit permission to run malicious\r\ncode in kernel mode.\r\nT1484.001 – Domain or Tenant\r\nPolicy Modification:  Group\r\nPolicy Modification\r\nThe threat actor used SharpGPOAbuse to modify the\r\nGPO and setup malicious script configured to run during\r\nstartup or user logon on the computers within the\r\nnetwork.\r\nDefense\r\nEvasion\r\nT1562.001 – Impair Defense:\r\nDisable or Modify Tools\r\nThe threat actor used two executables that loads a\r\nvulnerable driver to disable EDR and AV tools.\r\nT1211 – Exploitation for\r\nDefense Evasion\r\nThe tool used to disable EDR and AV tools loads a\r\nvulnerable driver to execute malicious code in kernel\r\nmode.\r\nDiscovery\r\nT1083 – File and Directory\r\nDiscovery\r\nThe threat actor uses “file.exe” to perform file and\r\ndirectory discovery to identify files to exfiltrate.\r\nLateral\r\nMovement\r\nT1570 – Lateral Tool Transfer\r\nThe threat actor used “file.exe” fileserver to transfer the\r\nmalicious tools and executable within the network.\r\nCollection\r\nT1005 – Data from Local\r\nSystem\r\nThe threat actor used “file.exe” host/setup a fileserver for\r\naccessing outside the network.\r\nExfiltration\r\nT1048 – Exfiltration Over\r\nAlternative Protocol\r\nThe threat actor used “file.exe” host/setup a fileserver\r\nthat can be used to exfiltrate data\r\nhttps://labs.withsecure.com/publications/crazyhunter-ransomware\r\nPage 8 of 10\n\nImpact\r\nT1486 – Data Encrypted for\r\nImpact\r\nThe ransomware encrypts file using ChaCha20 and\r\nECIES cryptography which makes it difficult to recover\r\nthe files\r\nIOC\r\nFile Name Sha256\r\nbb.exe 2cc975fdb21f6dd20775aa52c7b3db6866c50761e22338b08ffc7f7748b2acaa\r\ncrazyhunter.exe f72c03d37db77e8c6959b293ce81d009bf1c85f7d3bdaa4f873d3241833c146b\r\ncrazyhunter.sys 5316060745271723c9934047155dae95a3920cb6343ca08c93531e1c235861ba\r\nfile.exe 14359f54d49799c713c2a8cc0c19a88392a0c6ad2c383494023008326cd0ba15\r\ngo.exe 754d5c0c494099b72c050e745dde45ee4f6195c1f559a0f3a0fddba353004db6\r\ngo2.exe 983f5346756d61fec35df3e6e773ff43973eb96aabaa8094dcbfb5ca17821c81\r\ngo3.exe f72c03d37db77e8c6959b293ce81d009bf1c85f7d3bdaa4f873d3241833c146b\r\ngpo.exe 512f785d3c2a787b30fa760a153723d02090c0812d01bb519b670ecfc9780d93\r\nru.bat d1081c77f37d080b4e8ecf6325d79e6666572d8ac96598fe65f9630dda6ec1ec\r\nzam64.sys 2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1\r\nbb2.zip bdfc66266a2a19fc3d5dccef3eefe4c0ee928ba5b7abad60bc320218b2082fea\r\nhttps://labs.withsecure.com/publications/crazyhunter-ransomware\r\nPage 9 of 10\n\nSource: https://labs.withsecure.com/publications/crazyhunter-ransomware\r\nhttps://labs.withsecure.com/publications/crazyhunter-ransomware\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.withsecure.com/publications/crazyhunter-ransomware"
	],
	"report_names": [
		"crazyhunter-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775433988,
	"ts_updated_at": 1775791228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7d5ce887dee556e3d55125f45ba38dc482e5dc83.pdf",
		"text": "https://archive.orkl.eu/7d5ce887dee556e3d55125f45ba38dc482e5dc83.txt",
		"img": "https://archive.orkl.eu/7d5ce887dee556e3d55125f45ba38dc482e5dc83.jpg"
	}
}