On February 9, 2025, Makai Memorial Hospital in Taiwan suffered a crippling ransomware attack that spanned multiple days, disrupting operations and encrypting critical patient data. The attack, attributed to the Hunter Ransom Group and its CrazyHunter ransomware, affected over 600 computers and led to an emergency response from the Ministry of Health and Welfare. The attackers infiltrated the hospital's network, leveraged Active Directory (AD) misconfigurations, and used Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques to escalate privileges and distribute the ransomware via Group Policy Objects (GPOs).

This attack highlights the vulnerabilities in healthcare institutions and the critical need for robust, proactive cybersecurity protections. At ThreatSTOP, we’ve been tracking this malware since September 2024 under our ACTIVEDM "Active Malware" Target category. Our intelligence identified preventative coverage of domains associated with this campaign, including tianyinsoft[dot]top, long before the attack on Makai Hospital occurred.

Understanding the Attack

The CrazyHunter ransomware attack followed a familiar but devastating pattern:

  • Initial Access: The attackers compromised the hospital’s Active Directory infrastructure, exploiting weak passwords and leveraging SharpGPOAbuse to push malware through GPOs.

  • Privilege Escalation: Using BYOVD techniques, they executed malicious drivers, such as a modified Zemana anti-malware driver, to escalate privileges and bypass security controls.

  • Lateral Movement & Encryption: The malware propagated across the hospital's network, encrypting files and demanding ransom for decryption keys.

  • Extortion: The threat actors claimed to have stolen patient data, although forensic analysis later suggested these claims were false.

While the hospital’s rapid response teams managed to contain the damage, the incident underscores the need for preventative protection over reactive defense.

How ThreatSTOP Protects Against Ransomware Like CrazyHunter

ThreatSTOP’s Protective DNS solutions, including DNS Defense Cloud and DNS Defense, prevent infections by blocking malicious domains before they can deliver ransomware payloads. Our protections proactively disrupt malware campaigns at multiple stages:

  • Command & Control Disruption: ThreatSTOP blocks connections to known ransomware C2 infrastructure, preventing infected machines from retrieving encryption keys or executing further attacks.

  • Malicious Software Prevention: Our intelligence-driven ACTIVEDM protections ensure threats like CrazyHunter are mitigated before ransomware spreads.

  • Granular Policy Controls: Customers can enforce DNS-based security controls, restricting unauthorized communication channels exploited by ransomware operators.

For organizations that require additional network-layer protections, IP Defense extends ThreatSTOP’s intelligence to firewalls, routers, and intrusion prevention systems (IPS). This allows enterprises to block malicious IP addresses associated with ransomware operators, mitigating risks across all connected devices.

Lessons from the Makai Hospital Attack

The healthcare sector continues to be a prime target for ransomware attacks due to its reliance on outdated systems, intricate network architectures, and the sensitive nature of patient data. The CrazyHunter incident serves as a stark reminder for all organizations to thoroughly assess their security measures.  Here’s what we recommend:

  • Adopt Protective DNS: Blocking malicious domains before connections occur is the simplest and most effective way to prevent ransomware infections. Integrate real-time threat intelligence, like ThreatSTOP’s ACTIVEDM feeds, to preemptively block known malware domains and C2 infrastructure.

  • Secure Active Directory: Regularly audit AD permissions, enforce multi-factor authentication, and monitor for anomalous GPO modifications.

  • Network Segmentation: Limit lateral movement by segmenting critical hospital systems from administrative and general-use networks.

With cybercriminals continuously evolving their tactics, protection must be proactive, not reactive. ThreatSTOP’s intelligence-driven security solutions ensure organizations remain ahead of emerging threats like CrazyHunter.

Connect with Customers, Disconnect from Risks

For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! Get started with a Demo today!

IOCs:

tianyinsoft[dot]top
163.181.22.245
139.9.248.128
163.181.22.246

MITRE ATT&CK Framework breakdown:

Tactic

Technique

Technique ID

Description

Initial Access(TA0001)

Valid Accounts - Domain Accounts

T1078.002

Attackers compromised Active Directory accounts using weak passwords.

 

Phishing

T1566

Potential initial access method, though not explicitly confirmed in this attack.

Execution (TA0002)

User Execution - Malicious File

T1204.002

Ransomware payload was executed once attackers had access.

Persistence(TA0003)

Domain Policy Modification

T1484.001

Attackers used SharpGPOAbuse to push malware via Group Policy Objects (GPOs).

Privilege Escalation(TA0004)

Exploitation for Privilege Escalation

T1068

Used Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques with a modified Zemana driver.

Defense Evasion(TA0005)

Code Signing

T1553.002

Malicious drivers were signed to bypass security controls.

 

Masquerading

T1036

Ransomware disguised itself as a legitimate process.

Credential Access(TA0006)

Credential Dumping

T1003

Attackers likely extracted credentials to move laterally within the network.

Discovery (TA0007)

Remote System Discovery

T1018

Attackers identified accessible systems within the network.

Lateral Movement(TA0008)

Remote Services

T1021

Used compromised AD credentials and GPOs to spread malware.

Impact (TA0040)

Data Encrypted for Impact

T1486

Files across 600+ hospital systems were encrypted.

 

Data Destruction

T1485

Attackers may have deleted backups or system logs.

 

Network Denial of Service

T1498

Hospital operations were disrupted for multiple days.

Command & Control (TA0011)

Application Layer Protocol

T1071

Malware connected to tianyinsoft[.]top for C2 communication.

 

The malware performs another DNS lookup to "ncmep[.]org", but appears to be unrelated, and may be a connectivity check.