CyberSecurity news
FlagThis
@gbhackers.com
//
CrazyHunter, a new ransomware group, has emerged as a significant cyber threat, specifically targeting organizations in Taiwan. Their victims predominantly include those in the healthcare, education, and industrial sectors, indicating a focus on organizations with valuable data and sensitive operations. Since January, CrazyHunter's operations have shown a clear pattern of specifically targeting Taiwanese organizations. The group made their introduction with a data leak site posting ten victims, all located in Taiwan, demonstrating a strategic, regionally focused campaign.
CrazyHunter's toolkit heavily relies on open-source tools sourced from GitHub, with approximately 80% of their arsenal being open-source. The group broadens its toolkit by integrating open-source tools from GitHub, such as the Prince Ransomware Builder and ZammoCide, to further enhance their operational capabilities. This approach significantly reduces the technical barrier for creating tailored, potent ransomware attacks, enabling rapid adaptation and enhancement of their operations. They have also been seen to modify existing open source tools as their capabilities grow.
The ransomware deployment process includes the use of Bring Your Own Vulnerable Driver (BYOVD) techniques to bypass security measures. A customized process killer derived from the open-source project ZammoCide exploits the zam64.sys driver to neutralize defenses, specifically targeting antivirus and endpoint detection and response (EDR) systems. The ransomware itself, a bespoke variant using the Go programming language, employs advanced ChaCha20 and ECIES encryption to lock files, appending them with a “.Hunter” extension. This demonstrates a sophisticated and targeted approach to ransomware deployment.
ImgSrc: blogger.googleu
References :
CrazyHunter's toolkit heavily relies on open-source tools sourced from GitHub, with approximately 80% of their arsenal being open-source. The group broadens its toolkit by integrating open-source tools from GitHub, such as the Prince Ransomware Builder and ZammoCide, to further enhance their operational capabilities. This approach significantly reduces the technical barrier for creating tailored, potent ransomware attacks, enabling rapid adaptation and enhancement of their operations. They have also been seen to modify existing open source tools as their capabilities grow.
The ransomware deployment process includes the use of Bring Your Own Vulnerable Driver (BYOVD) techniques to bypass security measures. A customized process killer derived from the open-source project ZammoCide exploits the zam64.sys driver to neutralize defenses, specifically targeting antivirus and endpoint detection and response (EDR) systems. The ransomware itself, a bespoke variant using the Go programming language, employs advanced ChaCha20 and ECIES encryption to lock files, appending them with a “.Hunter” extension. This demonstrates a sophisticated and targeted approach to ransomware deployment.
ImgSrc: blogger.googleu
Share:
References :
- gbhackers.com: Analysis of the CrazyHunter group highlights its sophisticated methodology in exploiting accessible open-source tools and targeting various sectors within Taiwan.
- www.trendmicro.com: Trend Micro details research on emerging ransomware group CrazyHunter, which has launched a sophisticated campaign aimed at Taiwan's essential services.
- cyberpress.org: CyberPress - CrazyHunter Hackers Leverage GitHub Open-Source Tools to Launch Attacks on Organizations
- securityonline.info: The group's reliance on readily available GitHub resources underscores a trend of attackers leveraging public repositories for their operations.
Classification:
- HashTags: #CrazyHunter #ransomware #BYOVD
- Company: GitHub
- Target: Taiwan's critical sectors
- Attacker: CrazyHunter
- Product: GitHub
- Feature: open-source tools
- Malware: CrazyHunter
- Type: Ransomware
- Severity: Major