Once they’ve gained sufficient control, they deploy their ransomware, encrypting files with the “.Hunter” extension and leaving a ransom note titled “Decryption Instructions.txt” while also changing the victim’s desktop wallpaper to display ransom demands. After disabling security measures, the script proceeds to load the ransomware driver using bb.exe, then launches the encryption process. One of the most notable aspects of CrazyHunter’s operation is their execution methodology, which employs redundant measures to ensure ransomware deployment even if primary methods fail. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The group employs the Bring Your Own Vulnerable Driver (BYOVD) technique, which allows them to bypass security measures by exploiting legitimate but vulnerable drivers already present in systems. A sophisticated ransomware group known as CrazyHunter has emerged as a significant threat to organizations, particularly those in Taiwan’s critical infrastructure sectors. This newly identified threat actor has been conducting targeted attacks against healthcare facilities, educational institutions, and industrial organizations since early 2025, showcasing a concerning level of operational sophistication. The campaign leverages readily available open-source tools from GitHub, significantly lowering the barrier to entry for conducting complex ransomware operations. After gaining initial access, they deploy multiple tools to disable security mechanisms, establish persistence, and move laterally through networks. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This enables them to terminate security processes and deploy their ransomware payload with minimal detection. The heart of CrazyHunter’s attack lies in their execution script, a batch file that orchestrates the deployment of multiple components in sequence. The ransomware itself is based on the open-source Prince ransomware builder, modified to add the “.Hunter” extension to encrypted files. Trend Micro researchers identified that approximately 80% of CrazyHunter’s toolkit consists of openly available GitHub resources that have been modified to enhance their capabilities. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 17 Apr 2025 19:25:07 +0000