The cybersecurity landscape witnessed a significant incident with the Mackay Memorial Hospital ransomware attack in Taiwan, highlighting the growing threat posed by open-source tools.
The ransomware encryptor used in this attack, dubbed “CrazyHunter,” was built using the “Prince Ransomware” builder, an open-source tool freely available on GitHub.
This development underscores the increasing accessibility of sophisticated ransomware creation tools to threat actors, enabling even low-skilled attackers to execute complex operations.
Technical Analysis and Incident Overview
The Mackay Memorial Hospital attack began on February 9, 2025, when a threat actor gained initial access through a USB device inserted into the hospital’s network by a staff member.
This physical initial access vector (IAV) is rare but demonstrates the vulnerability of unprotected USB ports in critical systems.
After infiltrating the network, the attacker executed lateral movement across two branches Taipei and Tamsui encrypting over 600 devices and crippling vital systems, including patient data access.
Analysis of malware artifacts revealed that the attack relied on a batch script (“ru.bat”) to automate malicious actions.
The script executed multiple files, including “crazyhunter.exe,” a ransomware encryptor created with the Prince Ransomware builder.
The builder employs ChaCha20 and ECIES cryptographic algorithms to secure file encryption, making recovery exceedingly difficult.
Each file is encrypted with a unique ChaCha20 key and nonce, which are then encrypted using ECIES public keys and appended to the file header.
The Prince Ransomware builder’s availability on GitHub has facilitated its use in various ransomware variants beyond CrazyHunter, such as Black (Prince), Wenda, and UwU.
These variants differ primarily in their file extensions and ransom notes, which can be customized within the builder’s configuration file.
According to the researchers, this ease of customization allows threat actors to deploy new ransomware brands with minimal effort.
Defense Evasion and Lateral Movement Tactics
The attacker employed advanced defense evasion techniques using vulnerable drivers—a method known as “Bring Your Own Vulnerable Driver” (BYOVD).
Specifically, executables like “go.exe” and “go2.exe” loaded a compromised Zemana Anti-Logger kernel driver (“zam64.sys”) to disable antivirus tools such as Windows Defender and Trend Micro products.
This tactic grants kernel-level privileges for executing malicious code while impairing system defenses.
For lateral movement within the network, the attacker utilized SharpGPOAbuse, an open-source tool available on GitHub.
This tool exploits Group Policy Objects (GPO) to distribute malicious scripts across compromised systems during startup or user logon events.
Additionally, “file.exe,” another artifact found in the attack, was used for data exfiltration by hosting the victim’s machine as a file server or monitoring specific file extensions for deletion to prevent recovery efforts.
The Prince Ransomware builder represents a significant shift in cybercrime dynamics by lowering technical barriers for attackers.
Its open-source nature enables lone-wolf operators and small groups to execute sophisticated attacks without relying on established ransomware-as-a-service (RaaS) models or affiliates.
WithSecure reported that 38% of ransomware incidents in 2024 were unlinked to identifiable RaaS franchises, further indicating the rise of independent actors leveraging publicly available tools like Prince Ransomware.
While GitHub has since removed the repository hosting Prince Ransomware, snapshots of its code remain accessible online, perpetuating its use in future attacks.
The Mackay Memorial Hospital incident exemplifies how these tools can be weaponized against critical infrastructure with devastating consequences.
Organizations must adopt robust security measures to counter threats from open-source ransomware builders:
- Implement endpoint protection and regularly update antivirus software.
- Disable USB ports or scan devices for malware before use.
- Enforce network segmentation and access controls to limit malware spread.
- Continuously monitor system logs and network traffic for anomalies.
The Mackay Memorial Hospital attack serves as a stark reminder of how readily available offensive tools can empower threat actors globally while challenging attribution efforts due to their widespread use among independent operators.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
