Prince Ransomware – An Automated Open-Source Ransomware Builder Freely Available on GitHub

The cybersecurity landscape has witnessed a concerning development with the emergence of “Prince Ransomware,” an open-source ransomware builder that was freely accessible on GitHub until recently.

This tool, written in the Go programming language, has been exploited by cybercriminals to launch sophisticated ransomware attacks with minimal technical expertise.

The recent attack on Mackay Memorial Hospital in Taiwan highlights the growing risks posed by such publicly available offensive tools.

The Mackay Memorial Hospital Incident

Mackay Memorial Hospital became the target of a ransomware attack that crippled its operations.

The attackers initially infected a few computers using a USB device, a rare but effective physical access vector.

After assessing the network’s defenses, they escalated their efforts, spreading laterally across the hospital’s infrastructure and encrypting over 600 devices across two branches in Taipei and Tamsui.

The attack disrupted critical systems and denied staff access to patient data, showcasing the devastating impact of such incidents.

The ransomware used in this attack, dubbed “CrazyHunter,” was created using the Prince Ransomware builder.

According to the Report, this tool automates the creation of ransomware by employing advanced cryptographic techniques, including ChaCha20 and ECIES (Elliptic Curve Integrated Encryption Scheme).

These methods ensure robust encryption, making file recovery nearly impossible without the decryption keys.

Prince Ransomware operates by generating unique ChaCha20 keys and nonces for each file it encrypts.

These keys are then encrypted using an ECIES public key and appended to the file.

The ransomware systematically scans all drives and directories on a system while ignoring blocklisted files and extensions.

It encrypts files in a pattern, encrypting one byte followed by leaving two bytes unencrypted before dropping a ransom note.

The builder’s accessibility on GitHub allowed threat actors to easily customize ransomware variants by modifying configuration files.

Variants such as “Black (Prince),” “Wenda,” and “UwU” have been identified, differing only in file extensions and ransom notes.

This out-of-the-box functionality has lowered barriers for attackers, enabling even low-skilled individuals to deploy ransomware effectively.

Tools and Techniques Used in the Attack

The Mackay Memorial Hospital attack involved several malicious tools bundled in a file named “bb2.zip.”

Key components included:

• CrazyHunter.exe: The primary ransomware encryptor built with the Prince Ransomware builder.
• SharpGPOAbuse (gpo.exe): Used for lateral movement by exploiting Group Policy Objects (GPOs).
• File.exe: A data exfiltration tool capable of hosting file servers or monitoring and deleting specific file types.
• Zemana Anti-Logger Driver (zam64.sys): Exploited using the “Bring Your Own Vulnerable Driver” (BYOVD) technique to disable security software.

Additionally, the attackers employed defense evasion tools like “go.exe” and “go2.exe” to terminate antivirus processes, leveraging vulnerabilities in legitimate drivers for kernel-level privileges.

The availability of Prince Ransomware underscores a broader trend of open-source offensive tools being misused for malicious purposes.

Such tools empower lone-wolf attackers and small groups to execute complex attacks without relying on established ransomware-as-a-service (RaaS) models.

This democratization of cybercrime poses significant challenges for attribution and defense.

The Mackay Memorial Hospital incident also highlights the importance of securing physical access points like USB ports and implementing robust endpoint protection measures.

Organizations must prioritize network segmentation, continuous monitoring, and timely updates to mitigate similar threats.

As open-source tools like Prince Ransomware continue to proliferate, cybersecurity professionals face an uphill battle in preventing their misuse while balancing the benefits of open innovation.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!