CrazyHunter is a newly emerged ransomware group that has rapidly gained attention for its focused attacks on Taiwan’s critical sectors, particularly healthcare, education, and manufacturing. The group’s operations demonstrate a high level of sophistication, leveraging both advanced evasion tactics and a heavily modified toolkit composed of 80% open-source tools from GitHub. Since January, CrazyHunter has been observed deploying ransomware via customized payloads, using tools like the Prince ransomware builder and exploiting vulnerable drivers to disable security solutions.
The group’s primary tactic centers around the Bring Your Own Vulnerable Driver (BYOVD) technique, notably exploiting the Zemana Anti-Malware driver (zam64.sys) to disable AV/EDR defenses through a tool dubbed ZammoCide. They also leverage SharpGPOAbuse to manipulate Group Policy Objects for lateral movement and privilege escalation. Ransomware deployment is executed via layered batch scripts and fallback mechanisms to ensure successful encryption using a customized version of Prince ransomware written in Go. CrazyHunter’s operations are further supported by custom tools like file.exe, which act as both file monitors and exfiltration servers.