The CrazyHunter ransomware attack on Makai Hospital

On February 9, 2025, Makai Memorial Hospital in Taiwan became the latest victim of a devastating ransomware campaign orchestrated by the Hunter Ransom Group. The attack, which leveraged the CrazyHunter ransomware, disrupted critical healthcare services, encrypted over 600 systems, and highlighted systemic vulnerabilities in healthcare cybersecurity. Below, we dissect the attack chain, map the TTPs (Tactics, Techniques, and Procedures), and outline actionable lessons for defenders.

Attack overview

The attackers exploited weaknesses in Makai Hospital’s Active Directory (AD) infrastructure, combining credential compromise, Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques, and Group Policy Object (GPO) abuse to propagate ransomware across the network. Key stages included:

1. Initial Access:
   • Compromised AD accounts via weak passwords, enabling lateral movement.
   • Potential phishing vectors (T1566), though unconfirmed.
2. Privilege Escalation & Defense Evasion:
   • Deployed a modified Zemana anti-malware driver (BYOVD) to bypass security controls (T1553.002).
   • Utilized SharpGPOAbuse to push malicious payloads via GPOs (T1484.001).
3. Lateral Movement & Impact:
   • Encrypted files across 600+ systems using AES-256 and RSA-2048.
   • Threatened data exfiltration (later deemed false by forensic teams).

Critical Vulnerabilities Exploited

1. Unsecured Active Directory:
   • Lack of MFA and poor password hygiene allowed rapid lateral movement.
   • GPOs became a vector for ransomware distribution.
2. Inadequate Network Segmentation:
   • Flat network architecture enabled attackers to traverse critical systems unimpeded.
3. Legacy Systems & Misconfigurations:
   • Outdated software and unpatched vulnerabilities facilitated privilege escalation.

Defensive strategies & recommendations

For organizations in healthcare and other high-risk sectors, the following measures are critical:

1. Harden Active Directory

• Enforce MFA for all domain accounts.
• Conduct regular AD audits to identify misconfigured GPOs or excessive privileges.
• Monitor for anomalous GPO changes using tools like Microsoft Advanced Threat Analytics.

2. Adopt protective DNS solutions

• Deploy ThreatSTOP’s DNS Defense to block malicious domains like tianyinsoft[.]top preemptively.
• Integrate threat intelligence feeds (e.g., ACTIVEDM) to disrupt C2 communications.

3. Implement network segmentation

• Isolate critical systems (e.g., patient databases, imaging systems) from general networks.
• Use micro-segmentation to limit lateral movement.

4. BYOVD mitigation

• Restrict driver installation to signed, trusted publishers via Windows Defender Application Control.
• Monitor for unusual kernel-mode driver activity.

5. Proactive threat hunting

• Hunt for indicators such as:
  • IOCs: 163.181.22.245, 139.9.248.128, ncmep[.]org (connectivity check).
  • Unexpected GPO modifications or AD credential dumping (e.g., Mimikatz artifacts).