FOCUS MODE
EXTRACT IOC
Threat Research

Threat Intelligence Report Mar 18th,– Mar 24th, 2025

iocOne
The Crazy Hunter ransomware attack exploited Active Directory misconfigurations and utilized Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques to escalate privileges and distribute ransomware through Group Policy Objects. Despite claims of data exfiltration, forensic investigations found no supporting evidence. This attack resulted in significant operational disruptions and highlighted the importance of proactive threat intelligence in cybersecurity. Affected: Ransomware, Cybersecurity, Various Industries, Global Regions

Keypoints :

  • Attackers gained access through Active Directory misconfigurations and weak password exploitation.
  • BYOVD techniques were utilized to escalate privileges via a modified Zemana driver.
  • Ransomware was distributed through Group Policy Objects, encrypting over 600 target systems.
  • No evidence was found for claims of data exfiltration during forensic analysis.
  • Red Piranha tracked domains related to the attack to thwart further malicious activities.
  • The United States is the most heavily affected country, followed by Canada and the UK.
  • The Business Services and Manufacturing sectors were notably targeted by ransomware incidents.

MITRE Techniques :

  • Valid Accounts – Domain Accounts (T1078.002): Exploited weak passwords to compromise Active Directory accounts.
  • User Execution – Malicious File (T1204.002): Executed the ransomware payload after gaining initial access.
  • Domain Policy Modification (T1484.001): Leveraged Group Policy Objects (GPOs) to deploy malware.
  • Exploitation for Privilege Escalation (T1068): Utilized BYOVD with a modified driver for privilege escalation.
  • Code Signing (T1553.002): Signed malicious drivers to evade detection.
  • Masquerading (T1036): Disguised ransomware as a legitimate process.
  • Credential Dumping (T1003): Extracted credentials for lateral movement.
  • Remote System Discovery (T1018): Identified accessible systems to expand the attack.
  • Remote Services (T1021): Used compromised AD credentials for ransomware propagation.
  • Data Encrypted for Impact (T1486): Encrypted critical systems, causing severe operational disruptions.
  • Network Denial of Service (T1498): Caused service outages during the attack.
  • Application Layer Protocol (T1071): Connected to C2 domain tianyinsoft[.]top for command and control.

Indicator of Compromise :

  • [Domain] tianyinsoft[.]top (Confirmed C2 domain)
  • [Domain] ncmep[.]org (Likely connectivity check)
  • [IP Address] 163.181.22.245
  • [IP Address] 139.9.248.128
  • [IP Address] 163.181.22.246

Full Story: https://redpiranha.net/news/threat-intelligence-report-march-18-march-24-2025

Tags: PAYLOAD, DISCOVERY, VULNERABILITY, LATERAL MOVEMENT, PERSISTENCE, MONITOR, EXPLOIT, CREDENTIAL