Nascent CrazyHunter ransomware takes aim at healthcare

At least half a dozen healthcare organizations across Taiwan have already been victimized by intrusions with the newly emergent CrazyHunter ransomware, Cyber Security News reports.

Threat actors who targeted vulnerable Active Directory instances for initial network compromise proceeded to harness SharpGPOAbuse on Group Policy Objects to accelerate the spread of CrazyHunter across all connected systems, according to Trellix researchers. Apart from utilizing structured ransom channels, anonymous network infrastructure, and Telegram communication channels, CrazyHunter has been leveraging various methods to ensure stealth, including advanced memory-based execution mechanisms, antivirus-targeting components, and backup encryption tactics.

Further analysis showed the ransomware to employ not only the Bring Your Own Vulnerable Driver technique for privilege escalation and security software deactivation but also both symmetric and asymmetric cryptographic methods that guarantee better defenses for its cryptographic keys. Decryption has also been made unlikely without a private key due to the encrypted key and nonce being prepended to every file, researchers added.