<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><span>On February 9, 2025, Makai Memorial Hospital in Taiwan <a href="https://www.ithome.com.tw/news/167327" rel="noopener" target="_blank">suffered a crippling ransomware attack</a> that spanned multiple days, disrupting operations and encrypting critical patient data. The attack, attributed to the Hunter Ransom Group and its CrazyHunter ransomware, affected over 600 computers and led to an emergency response from the Ministry of Health and Welfare. The attackers infiltrated the hospital's network, leveraged Active Directory (AD) misconfigurations, and used Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques to escalate privileges and distribute the ransomware via Group Policy Objects (GPOs).</span></p> <!--more--> <p><span>This attack highlights the vulnerabilities in healthcare institutions and the critical need for robust, proactive cybersecurity protections. At ThreatSTOP, we’ve been tracking this malware since September 2024 under our <span style="font-weight: bold;">ACTIVEDM "Active Malware"</span> Target category. Our intelligence identified preventative coverage of domains associated with this campaign, including </span><span><strong>tianyinsoft[dot]top</strong></span><span>, long before the attack on Makai Hospital occurred.</span></p> <h3><span><strong>Understanding the Attack</strong></span></h3> <p><span>The CrazyHunter ransomware attack followed a familiar but devastating pattern:</span></p> <ul data-spread="false"> <li> <p><span><strong>Initial Access:</strong></span><span> The attackers compromised the hospital’s Active Directory infrastructure, exploiting weak passwords and leveraging SharpGPOAbuse to push malware through GPOs.</span></p> </li> <li> <p><span><strong>Privilege Escalation:</strong></span><span> Using BYOVD techniques, they executed malicious drivers, such as a modified Zemana anti-malware driver, to escalate privileges and bypass security controls.</span></p> </li> <li> <p><span><strong>Lateral Movement &amp; Encryption:</strong></span><span> The malware propagated across the hospital's network, encrypting files and demanding ransom for decryption keys.</span></p> </li> <li> <p><span><strong>Extortion:</strong></span><span> The threat actors claimed to have stolen patient data, although forensic analysis later suggested these claims were false.</span></p> </li> </ul> <p><span>While the hospital’s rapid response teams managed to contain the damage, the incident underscores the need for </span><span><strong>preventative protection over reactive defense</strong></span><span>.</span></p> <h3><span><strong>How ThreatSTOP Protects Against Ransomware Like CrazyHunter</strong></span></h3> <p><span>ThreatSTOP’s </span><span><strong>Protective DNS</strong></span><span> solutions, including </span><span><strong>DNS Defense Cloud</strong></span><span> and </span><span><strong>DNS Defense</strong></span><span>, prevent infections by blocking malicious domains before they can deliver ransomware payloads. Our protections proactively disrupt malware campaigns at multiple stages:</span></p> <ul data-spread="false"> <li> <p><span><strong>Command &amp; Control Disruption:</strong></span><span> ThreatSTOP blocks connections to known </span><span><strong>ransomware C2 infrastructure</strong></span><span>, preventing infected machines from retrieving encryption keys or executing further attacks.</span></p> </li> <li> <p><span><strong>Malicious Software Prevention:</strong></span><span> Our intelligence-driven </span><span><strong>ACTIVEDM</strong></span><span> protections ensure threats like CrazyHunter are </span><span>mitigated before ransomware spreads.</span></p> </li> <li> <p><span><strong>Granular Policy Controls:</strong></span><span> Customers can enforce DNS-based security controls, restricting unauthorized communication channels exploited by ransomware operators.</span></p> </li> </ul> <p><span>For organizations that require additional network-layer protections, </span><span><strong>IP Defense</strong></span><span> extends ThreatSTOP’s intelligence to </span><span><strong>firewalls, routers, and intrusion prevention systems (IPS)</strong></span><span>. This allows enterprises to block malicious IP addresses associated with ransomware operators, mitigating risks across all connected devices.</span></p> <h3><span><strong>Lessons from the Makai Hospital Attack</strong></span></h3> <p><span>The healthcare sector continues to be a prime target for ransomware attacks due to its reliance on outdated systems, intricate network architectures, and the sensitive nature of patient data. The CrazyHunter incident serves as a stark reminder for all organizations to thoroughly assess their security measures. &nbsp;Here’s what we recommend:</span></p> <ul data-spread="false"> <li> <p><span><strong>Adopt Protective DNS:</strong></span><span> Blocking malicious domains before connections occur is the simplest and most effective way to prevent ransomware infections. Integrate real-time threat intelligence, like ThreatSTOP’s ACTIVEDM feeds, to preemptively block known malware domains and C2 infrastructure.</span></p> </li> <li> <p><span><strong>Secure Active Directory:</strong></span><span> Regularly audit AD permissions, enforce multi-factor authentication, and monitor for anomalous GPO modifications.</span></p> </li> <li> <p><span><strong>Network Segmentation:</strong></span><span> Limit lateral movement by segmenting critical hospital systems from administrative and general-use networks.</span></p> </li> </ul> <p><span>With cybercriminals continuously evolving their tactics, </span><span><strong>protection must be proactive, not reactive</strong></span><span>. ThreatSTOP’s intelligence-driven security solutions ensure organizations remain ahead of emerging threats like CrazyHunter.</span></p> <h3><span><strong>Connect with Customers, Disconnect from Risks</strong></span></h3> <p><span>For those interested in joining the ThreatSTOP family, or to learn more about our </span><span><strong>proactive protections</strong></span><span> for all environments, we invite you to visit our </span><span><a disabled>product page</a></span><span>. Discover how our solutions can make a significant difference in your digital security landscape. </span><span><strong>We have pricing for all sizes of customers! Get started with a Demo today!</strong></span></p> <p style="font-weight: bold;">IOCs:</p> <p><span><strong>tianyinsoft[dot]top<br>163.181.22.245<br>139.9.248.128<br>163.181.22.246<br></strong></span><span></span></p> <p><span><strong>MITRE ATT&amp;CK Framework breakdown:</strong></span></p> <div data-hs-responsive-table="true" style="overflow-x: auto; max-width: 100%; width: 773px; margin-left: auto; margin-right: auto;"> <table style="border-collapse: collapse; table-layout: fixed; border: 2px solid #000000;"> <thead> <tr> <th> <p><strong>Tactic</strong></p> </th> <th> <p><strong>Technique</strong></p> </th> <th> <p><strong>Technique ID</strong></p> </th> <th> <p><strong>Description</strong></p> </th> </tr> </thead> <tbody> <tr> <td style="padding: 2px;"> <p><strong>Initial Access</strong><span>(TA0001)</span></p> </td> <td style="padding: 2px;"> <p>Valid Accounts - Domain Accounts</p> </td> <td style="padding: 2px;"> <p>T1078.002</p> </td> <td style="padding: 2px;"> <p>Attackers compromised Active Directory accounts using weak passwords.</p> </td> </tr> <tr> <td style="padding: 2px;">&nbsp;</td> <td style="padding: 2px;"> <p>Phishing</p> </td> <td style="padding: 2px;"> <p>T1566</p> </td> <td style="padding: 2px;"> <p>Potential initial access method, though not explicitly confirmed in this attack.</p> </td> </tr> <tr> <td style="padding: 2px;"> <p><strong>Execution</strong><span> (TA0002)</span></p> </td> <td style="padding: 2px;"> <p>User Execution - Malicious File</p> </td> <td style="padding: 2px;"> <p>T1204.002</p> </td> <td style="padding: 2px;"> <p>Ransomware payload was executed once attackers had access.</p> </td> </tr> <tr> <td style="padding: 2px;"> <p><strong>Persistence</strong><span>(TA0003)</span></p> </td> <td style="padding: 2px;"> <p>Domain Policy Modification</p> </td> <td style="padding: 2px;"> <p>T1484.001</p> </td> <td style="padding: 2px;"> <p>Attackers used <span><strong>SharpGPOAbuse</strong></span> to push malware via Group Policy Objects (GPOs).</p> </td> </tr> <tr> <td style="padding: 2px;"> <p><strong>Privilege Escalation</strong><span>(TA0004)</span></p> </td> <td style="padding: 2px;"> <p>Exploitation for Privilege Escalation</p> </td> <td style="padding: 2px;"> <p>T1068</p> </td> <td style="padding: 2px;"> <p>Used Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques with a modified Zemana driver.</p> </td> </tr> <tr> <td style="padding: 2px;"> <p><strong>Defense Evasion</strong><span>(TA0005)</span></p> </td> <td style="padding: 2px;"> <p>Code Signing</p> </td> <td style="padding: 2px;"> <p>T1553.002</p> </td> <td style="padding: 2px;"> <p>Malicious drivers were signed to bypass security controls.</p> </td> </tr> <tr> <td style="padding: 2px;">&nbsp;</td> <td style="padding: 2px;"> <p>Masquerading</p> </td> <td style="padding: 2px;"> <p>T1036</p> </td> <td style="padding: 2px;"> <p>Ransomware disguised itself as a legitimate process.</p> </td> </tr> <tr> <td style="padding: 2px;"> <p><strong>Credential Access</strong><span>(TA0006)</span></p> </td> <td style="padding: 2px;"> <p>Credential Dumping</p> </td> <td style="padding: 2px;"> <p>T1003</p> </td> <td style="padding: 2px;"> <p>Attackers likely extracted credentials to move laterally within the network.</p> </td> </tr> <tr> <td style="padding: 2px;"> <p><strong>Discovery</strong><span> (TA0007)</span></p> </td> <td style="padding: 2px;"> <p>Remote System Discovery</p> </td> <td style="padding: 2px;"> <p>T1018</p> </td> <td style="padding: 2px;"> <p>Attackers identified accessible systems within the network.</p> </td> </tr> <tr> <td style="padding: 2px;"> <p><strong>Lateral Movement</strong><span>(TA0008)</span></p> </td> <td style="padding: 2px;"> <p>Remote Services</p> </td> <td style="padding: 2px;"> <p>T1021</p> </td> <td style="padding: 2px;"> <p>Used compromised AD credentials and GPOs to spread malware.</p> </td> </tr> <tr> <td style="padding: 2px;"> <p><span><strong>Impact</strong></span> (TA0040)</p> </td> <td style="padding: 2px;"> <p>Data Encrypted for Impact</p> </td> <td style="padding: 2px;"> <p>T1486</p> </td> <td style="padding: 2px;"> <p>Files across 600+ hospital systems were encrypted.</p> </td> </tr> <tr> <td style="padding: 2px;">&nbsp;</td> <td style="padding: 2px;"> <p>Data Destruction</p> </td> <td style="padding: 2px;"> <p>T1485</p> </td> <td style="padding: 2px;"> <p>Attackers may have deleted backups or system logs.</p> </td> </tr> <tr> <td style="padding: 2px;">&nbsp;</td> <td style="padding: 2px;"> <p>Network Denial of Service</p> </td> <td style="padding: 2px;"> <p>T1498</p> </td> <td style="padding: 2px;"> <p>Hospital operations were disrupted for multiple days.</p> </td> </tr> <tr> <td style="padding: 2px;"> <p><strong>Command &amp; Control</strong><span> (TA0011)</span></p> </td> <td style="padding: 2px;"> <p>Application Layer Protocol</p> </td> <td style="padding: 2px;"> <p>T1071</p> </td> <td style="padding: 2px;"> <p>Malware connected to <span><strong>tianyinsoft[.]top</strong></span> for C2 communication.</p> </td> </tr> </tbody> </table> </div> <p>&nbsp;</p> <p>The malware performs another DNS lookup to "ncmep[.]org", but appears to be unrelated, and may be a connectivity check.</p></span>