KD Panels Reportedly Targeted by Crazyhunter Ransomware Attack

KD Panels, a manufacturing firm specializing in industrial control systems, has reportedly become the latest victim of the Crazyhunter ransomware group, according to a dark web monitoring alert by Dark Web Informer.

The cybercriminals have demanded a $1 million ransom in cryptocurrency, threatening to leak sensitive data and disrupt operations through distributed denial-of-service (DDoS) attacks if unpaid.

This incident follows Crazyhunter’s recent targeting of Taiwanese hospitals and marks their expansion into critical infrastructure sectors.

Attack Methodology and Technical Details

The breach leveraged Crazyhunter’s signature three-dimensional data annihilation system, which combines:

• Advanced AES-256 and RSA-4096 encryption for file locking
• Blockchain-based transaction tracking to log decryption promises
• Data destruction mechanisms targeting backups and shadow copies

Initial access is suspected to involve phishing campaigns or exploitation of unpatched vulnerabilities in KD Panels’ Oracle WebLogic servers, a vector previously observed in Hunters International ransomware attacks.

Once inside, attackers performed credential dumping using Mimikatz and moved laterally through the network via Server Message Block (SMB) and Remote Desktop Protocol (RDP).

Crazyhunter deployed Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques to disable endpoint detection systems before executing the ransomware payload.

The malware propagated through Group Policy Objects (GPOs), encrypting files across Windows and Linux systems.

Operational Impact and Extortion Tactics

The attack disrupted KD Panels’ supervisory control and data acquisition (SCADA) systems, forcing temporary shutdowns of production lines.

Crazyhunter’s dark web leak site claims exfiltration of 450 GB of data, including:

• Blueprints for industrial control panels
• Client contracts with energy sector operators
• Employee personally identifiable information (PII)

The group employs triple extortion tactics:

1. Encryption of critical operational data
2. Threat of publishing intellectual property
3. DDoS attacks targeting client portals

Industry Response and Mitigation Strategies

Cybersecurity firm Treadstone 71 confirmed the attackers’ use of Cobalt Strike beacons for command-and-control (C2) communications and identified the ransom wallet address (bc1qcrazyhunter9z4vxw6) on the Bitcoin blockchain.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory recommending:

Broader Ransomware Landscape

This attack aligns with a 67% YoY increase in ransomware incidents targeting manufacturing, as tracked by Comparitech.

Recent high-profile cases include:

• CDK Global’s $25 million ransom payment to Eastern European attackers
• Schneider Electric’s breach by the Hellcat group demanding payment in baguettes
• Makai Memorial Hospital’s infrastructure compromise through Active Directory exploits

Crazyhunter’s operational shift from healthcare to industrial targets suggests refined targeting of organizations with hybrid IT/OT environments.

The group’s dark web manifesto emphasizes “mathematical precision in encryption” and claims a 92% decryption success rate for paying victims.

Legal and Ethical Considerations

The U.S. Department of Justice has added Crazyhunter to its Cyber Most Wanted list, offering a $10 million reward for information leading to the group’s identification.

However, blockchain-anonymized ransom payments complicate forensic tracking, raising debates about cryptocurrency regulation in critical infrastructure sectors.

As of March 17, 2025, KD Panels has not publicly confirmed payment negotiations.

The company has engaged incident response teams from CrowdStrike and Palo Alto Networks to contain the breach while maintaining partial operations through air-gapped backup systems.

Also Read: