On February 9, 2025, Mackay Memorial Hospital in Taipei, Taiwan was hit by Crazy Hunter ransomware. Within days, a second attack hit nearby Changhua Christian Hospital.1 Attackers gained access to the hospitals’ Active Directory (AD) environments, and once inside, they were able to disable security mechanisms, escalate privileges, and execute malicious code to lock systems—while encrypting and stealing millions of medical records.
These incidents are part of a global increase in cyberattacks against healthcare systems, where attackers rely on the fact that restoring medical services is a matter of life and death. And they know how to exploit the complex, hybrid identity environments that healthcare organizations depend on—by gaining access to AD.
Why Active Directory security is essential for healthcare organizations
Attacks on healthcare organizations offer cybercriminals the opportunity for enrichment on multiple levels. On the frontend, attackers extort huge ransoms. On the backend, stolen medical records provide a treasure-trove of personal data, ripe for exploitation.
As Semperis revealed in our 2024 Ransomware Risk Report, initial attacks on healthcare organizations are enormously successful, creating immediate chaos and an urgent need to restore care for patients. But the threat doesn’t end with the first attack. Of healthcare organizations that reported being attacked, 35% reported they suffered multiple attacks simultaneously. And even when they paid ransom—often multiple times—40% still suffered data loss.
The primary target for malicious actors who are looking for entry into healthcare systems—as well as other highly targeted industries such as finance and manufacturing—is AD. As the core identity service, AD is the source of access to legacy systems, complex hybrid architectures, and myriad connected devices.
That means AD security is of paramount importance across all levels for any critical industry.
How attackers exploit AD security vulnerabilities
Although investigation is ongoing into the initial source of intrusion into the Taiwan hospitals, officials know that the attackers specifically targeted the hospitals’ AD environments. In its 2024 Cybersecurity Technical Report (CTR) Detecting and Mitigating Active Directory Compromises, the Five Eyes alliance issued guidance on addressing AD security vulnerabilities, noting that a key challenge in securing AD is that every user has permissions that enable an attacker to identify and exploit weaknesses.
There are multiple ways for bad actors to gain access to AD:
- Compromise an AD user through social engineering or phishing
- Use an exposed and misconfigured Remote Desktop Gateway (RD Gateway) and stolen credentials to gain direct RDP access to internal systems
- Use compromised credentials to authenticate through VPN solutions that don’t enforce multifactor authentication (MFA), giving attackers a foothold inside the network
- Use valid credentials or exploited vulnerabilities to leverage internet-facing and improperly or inadequately secured Citrix/VDI environments
- Exploit vulnerabilities or poor authentication controls in self-hosted portals (e.g., HR systems, support tools)
- Employ password spraying against externally reachable authentication points such as OWA, VPN, or SSO portals
Once AD is breached, attackers can use that access to:
- Exploit weak passwords through brute-force attacks such as password spraying techniques
- Launch an AS-REP Roasting attack, if the hospital has legacy systems and applications that don’t support Kerberos pre-authentication
- Use privileged credentials to modify AD’s Group Policy Objects (GPOs) to propagate ransomware
- Access legacy service accounts, which are common and often highly privileged in hospital environments and can lead to privilege escalation; for example, request a service ticket for a legacy Domain Admin account that has a Service Principal name (SPN) set and perform Kerberoasting to try and recover the account’s plaintext password, which immediately leads to Domain Admin privileges
How CrazyHunter navigated AD from within
Mackay Memorial first noticed a system anomaly on February 9. The hospital immediately reported the issue to the Information Security Information Sharing and Analysis Center (H-ISAC) of Taiwan’s Ministry of Health and Welfare, who deployed a rapid response team to accelerate recovery.
But the damage escalated quickly. More than 500 hospital computers crashed, patient records and critical systems were encrypted, and emergency room services came to a standstill. Medical services were restored within a day—but personal data of more than 16.6 million patients was stolen and sold by the attackers, Hunter Ransom Group.2
The CrazyHunter ransomware followed a trajectory that might be used to exploit AD security vulnerabilities in any organization.
Privilege escalation and lateral movement to GPOs
Once inside the compromised AD accounts, the attackers elevated their privileges within AD, likely by exploiting misconfigurations or weak permissions.
Next, the attackers used Group Policy Objects (GPOs) to distribute malicious executables designed for encryption, process manipulation, and security evasion. Because they enable broad controls in AD, GPOs are commonly abused in ransomware attacks to execute payloads on multiple systems simultaneously.
Defense evasion: Bring Your Own Vulnerable Driver attack
BYOVD attacks leverage signed but vulnerable drivers to escalate privileges and execute code in kernel mode. In this case, the attackers deployed the vulnerable Zemana driver zam64.sys—the legitimate signature driver of the malware protection tool ZAM. In typical BYOVD attacks, the driver is exploited to launch privilege-escalation attacks and disable security mechanisms such as endpoint protection or endpoint detection and response (EDR) solutions.
How to enhance operational resilience for critical services
As the Five Eyes CTR explains, once attackers have infiltrated AD, they take advantage of the complexity of relationships between users and systems. These often-hidden interconnections make it easy for bad actors to disguise malicious actions as “normal” AD changes, giving them free reign inside the identity system.
To ensure operational resilience, organizations must employ specialized AD security solutions to address AD security vulnerabilities, detect anomalous behaviour that can indicate an impending attack, and enable rapid recovery when an attack inevitably happens.
1. Implement identity threat detection and response (ITDR)
Semperis Directory Services Protector (DSP) provides continuous monitoring and enables proactive actions to reduce the attack surface of even the largest and most complex AD environments. DSP can:
- Identify any suspicious AD configurations, including dubious GPO permissions
- Identify all service accounts with weak encryption
- Visibility into service accounts that might be used to log on interactively (a strong indication of compromise)
- Identify all accounts that are still susceptible to AS-REP Roasting to enable remediation of those accounts if possible—or close monitoring, if remediation isn’t possible
2. Detect and mitigate threats
In addition to proactively remediating AD security vulnerabilities, organizations should implement an automated, real-time attack-detection solution, such as Semperis Lightning Identity Runtime Protection (IRP). By using AI algorithms specifically trained with real-world identity attack experiences, this solution enables security defenders to reduce monitoring noise—and focus on critical alerts that may indicate an impending attack. Lightning IRP can:
- Identify threat actors’ attempt to steal service tickets with weak encryption
- Identify anomalous logon activities of compromised accounts
- Detect patterns that indicate the presence of password spray and brute force attacks
3. Ensure resilience with rapid AD recovery
In the case of a crippling attack or known breach, rapid AD recovery is essential for empowering organizations to refuse to pay ransom and reducing costly impacts.
A recovery solution like Semperis Active Directory Forest Recovery (ADFR)—which can recover AD without risking malware re-infection and follow-on attacks—is essential when a serious breach has been detected and manual cleanup is considered too risky. ADFR can:
- Provide assurance the recovered AD environment is free from malware and ransomware
- Automate AD forest recovery to avoid human error and enable restoration of business operations in minutes or hours
- Speed post-attack forensic analysis to identify compromised accounts and prevent future attacks
Semperis snapshot
The cyberattacks on Mackay Memorial Hospital and Changhua Christian Hospital are a stark reminder that with high rewards and barriers to entry that can be circumvented by a simple phishing email, malicious actors have healthcare organizations on their radar. It’s essential to be prepared for the inevitability of a cyberattack.
Combating evolving threats in this landscape requires a detailed, tested identity resilience plan that coordinates a layered AD security defence across people, processes, and technology. For healthcare organizations—with their complex, rapidly changing systems and hybrid architectures—the challenges of such coordination are significant.
But the risks of inaction are much greater.
Learn more about Active Directory security
- Group Policy Abuse Explained
- Effective GPO Change Auditing with Directory Services Protector
- Layered Defense for Active Directory Security
- Kerberoasting Explained
- AS-REP Roasting Explained
Endnotes
