CrazyHunter Campaign Targets Taiwanese Critical Sectors

CrazyHunter, a relatively new ransomware group, has emerged as a significant threat to Taiwan's critical sectors. Our investigation reveals that the group has been targeting hospitals and medical centers, educational institutions and universities, manufacturing companies, and industrial organizations in Taiwan.

Pattern of Attack

The victims of CrazyHunter consist mainly of organizations with valuable data and sensitive operations. The group's tactics, techniques, and procedures (TTPs) reflect a targeted focus on these sectors. We have identified three main points of interest during our investigation:

  1. Strategic targeting: CrazyHunter has strategically and deliberately targeted Taiwan, indicating a campaign specifically against the region.
  2. Use of open-source tools: Around 80% of CrazyHunter's toolset consists of open-source tools from GitHub, which the group modifies to fit their specific needs.
  3. Expanding toolset and methods: The attackers have broadened their toolset and methods of execution, indicating a strategic effort to enhance the complexity and effectiveness of their operations.

Attack Vector

The attackers use a batch script to execute multiple binaries, ultimately leading to the deployment of the ransomware payload. The script initiates a sequence to deploy ransomware while avoiding detection:

  • Redundant measures: The redundant measures ensure that ransomware deployment remains effective even if primary methods fail.
  • Batch script execution: The batch script executes multiple binaries, leading to the deployment of the ransomware payload.

Ransomware Deployment Process

The flowchart of the ransomware deployment process illustrates these events:

Ransomware Deployment Process
Ransomware Deployment Process Flowchart

Geographical Focus

The geographical focus of these attacks has been predominantly on Taiwan, indicating a targeted campaign against this specific region. The customized group contact email, payment[.]attack-tw1337@proton[.]me, prominently displayed on the ransom note, contains the "tw" designation.

Recommendations for Protection

To protect against threats leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques and open-source tools from platforms like GitHub:

  1. Trend Vision One: This AI-powered enterprise cybersecurity platform centralizes cyber risk exposure management, security operations, and robust layered protection. It helps predict and prevent threats, accelerating proactive security outcomes across your digital estate.
  2. Intelligence Reports and Threat Insights: Trend Vision One customers can access these reports to stay ahead of cyber threats before they happen and prepare for emerging threats by offering comprehensive information on threat actors, their malicious activities, and techniques.

Conclusion

Ransomware is a growing threat, and enterprises must adopt a proactive approach to safeguard their operations. CrazyHunter's strategic use of open-source tools from GitHub significantly enhanced the group's capabilities for defense evasion, lateral movement, and impactful operations. By expanding their toolset and methods of execution, attackers have demonstrated an evolution in their strategies along with their persistence. This highlights the pressing need for strong cybersecurity measures to counteract the advanced techniques used by ransomware groups.