Open-Source Prince Ransomware Builder Used in Hospital Attack

In February 2025, MacKay Memorial Hospital in Taipei was targeted in a ransomware attack that severely disrupted its operations. The attacker, who went by the alias "Crazyhunter," was later identified as Lo Chengyu, a 20-year-old Chinese national from Zhejiang Province.

Authorities confirmed that Lo infiltrated the hospital’s systems, encrypted sensitive data, and demanded a ransom. When the hospital refused to pay, he attempted to sell the stolen data—reportedly containing personal and medical information—on the dark web.  

The breach not only impacted administrative functions but also delayed some medical services, underscoring the serious implications of cyberattacks on critical healthcare infrastructure, the Northeast Herald reports.

Crazyhunter has been implicated in multiple cyberattacks during February and March 2025. According to Taiwan's Criminal Investigation Bureau (CIB), Lo was responsible for 11 cyberattacks targeting hospitals, schools, and listed companies in Taiwan.

The ransomware used in the attack was built using the "Prince Ransomware" builder, an open-source tool publicly available on GitHub. This builder allows attackers to easily craft custom ransomware using sophisticated encryption methods such as ChaCha20 for data encryption and ECIES (Elliptic Curve Integrated Encryption Scheme) for key protection.  

Its ease of use and accessibility make it particularly dangerous, as even relatively inexperienced threat actors can launch effective ransomware campaigns with minimal effort.

Takeaway: Ransomware began as one-off attacks that impacted a small number of devices and resulted in relatively small ransom demands. Then we watched it grow over the last few years into a full-blown criminal economy.

Specialists in the field include developers, initial access brokers, affiliate attackers, negotiators, recruiters, tech support and more. It evolved into a top-down structure like a SaaS company, improved efficiencies, and seemed almost laser-focused on big-game targets who could pay big-dollar ransoms.

But now, we’re potentially seeing a shift back toward smaller operations that sometimes only include a single threat actor armed with powerful tools. RaaS platforms for rent, leaked payload code, and free tools mean that there is very low barrier to entry to become a ransomware operator today. That’s potentially a real nightmare scenario.

You don’t need to write malware from scratch anymore. You don’t need elite skills. You just need a little motivation and something like the Prince Ransomware Builder—open-source, freely available, and dangerously effective.  

Just one 20-year-old, working alone, used it to hit multiple hospitals, schools, and manufacturers across Taiwan causing massive disruption, all with an open-source payload and some googling.

This is not an outlier event; this is a preview. There are likely thousands more just like Lo, and that’s the threat landscape we’re finding ourselves in today. We’re not at the tail end of ransomware era; we’re still just getting started.

Expect more attacks that are smaller, less predictable, and designed to fly under the radar. They won’t all make headlines, but the damage will stack up fast. The tooling is out there, the playbook is simple, and the future of ransomware attacks is potentially anyone, anywhere, can be an attacker or a victim.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.