Hsinchu, Taiwan - March 3, 2025 - Taiwan MacKay Memorial Hospital was hit by a large-scale ransomware attack on February 9, 2025, severely impacting the emergency and outpatient systems of its Taipei and Tamsui campuses. Over 500 computers were encrypted, causing significant disruption to medical operations.
The attack originated when an employee accidentally inserted a USB drive into an internal hospital computer, leading to a system infection by the CrazyHunter ransomware. This malicious software utilizes BYOVD(Bring Your Own Vulnerable Driver) technology, exploiting the legitimate driver zam64.sys(Zemana AntiMalware driver) to escalate privileges, disable endpoint protection (EDR), and attempt to gain Microsoft AD account privileges via weak passwords. The ransomware was then deployed on a large scale within the internal network, severely affecting the hospital’s computers and systems.
The CrazyHunter ransomware and the zam64.sys driver used in the attack are now included in our DPI network security content inspection signature database (see the list below), enabling effective detection and blocking in products equipped with Lionic DPI technology.
To prevent similar incidents in the future, we recommend:
- Strengthening cybersecurity education for employees to improve overall defense capabilities.
- Scanning USB devices brought from external sources for viruses and avoiding executing unsafe files.
- Enabling two-factor authentication for Microsoft AD accounts and implementing strong password policies.
- Deploying routers/UTMs with Anti-Virus and Anti-Intrusion functions in front of Microsoft AD servers and company network exits.
Below are our IOC details for this incident:
MD5:
f45cc69f74f75a707a02d26ccd912845
9fe3322dd4fc35d1ed510bf715dae814
7f3d07220529742bdc1827186b73666a
b7a812586c037ca8d41968842a211b8a
ee8c636dc0b6c96d41dd61f38bf2066f
ca257aaa1ded22ca22086b9e95cb456d
9e45ab7d2d942a575b2f902cccfb3839
da1a93627cec6665ae28baaf23ff27c5
6a70c22a5778eaa433b6ce44513068da
2a3ce41bb2a7894d939fbd1b20dae5a0
SHA1:
086262abb7e85c43ffb6c384966d130ca612169b
0937377d1ef1d47a04f1e55d929fe79c313d7640
096e4141b1c92b4ab861d8aae44024fd5737f760
318a601a5d758dd870c38b8c4792a2c3405e6c28
605fcba03de970d889d4cbfd4ce493cf96ac30c2
79c3fd97d33e114f8681c565f983cd8b8f9d8d93
9e126627dff082000a830b8e2e04206ced8663ff
b6737248f7baed88177658598002df5433155450
bed4229e774f136e1898fad9d37bd96e9156369e
cd248648eafca6ef77c1b76237a6482f449f13be
SHA256:
d1081c77f37d080b4e8ecf6325d79e6666572d8ac96598fe65f9630dda6ec1ec
2cc975fdb21f6dd20775aa52c7b3db6866c50761e22338b08ffc7f7748b2acaa
e5d9e4eb77b73ba1950651e8de0511cf257850a35becf31a32135984967dba86
14359f54d49799c713c2a8cc0c19a88392a0c6ad2c383494023008326cd0ba15
0c5e7f344812d3af51ebb572a8d57eb85a8a75635236ed21ee54e94ea532ab41
754d5c0c494099b72c050e745dde45ee4f6195c1f559a0f3a0fddba353004db6
512f785d3c2a787b30fa760a153723d02090c0812d01bb519b670ecfc9780d93
983f5346756d61fec35df3e6e773ff43973eb96aabaa8094dcbfb5ca17821c81
f72c03d37db77e8c6959b293ce81d009bf1c85f7d3bdaa4f873d3241833c146b
2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1
Reference:
- iThome: A Summary of the MacKay Hospital Ransomware Attack in February 2025 (https://www.ithome.com.tw/news/167327)
- Ministry of Health and Welfare: Recent Ransomware Attacks on Some Hospitals, Requesting Increased Vigilance (https://hisac.nat.gov.tw/news?265)
About Lionic Corp.
Lionic Corporation is recognized globally as a leader in advanced Deep Packet Inspection (DPI) solutions. The technology suite includes a state-of-the-art DPI engine and comprehensive software application modules. The Security modules cover Anti-Virus, Anti-Intrusion and Anti-WebThreat, while the Content Management modules focus on application and device identification, application-based quality of service (QoS), web content filtering and parental control. Lionic’s offerings in security and content management, along with cloud-based scanning services and signature subscription services, are deployed extensively worldwide.
