Crazy
Crazy ransomware is a ransomware variant belonging to the VoidCrypt ransomware family. Huntress reported two early-2026 incidents in which threat actors abused legitimate remote access and monitoring software as part of activity designed to deploy Crazy ransomware. In the observed intrusions, attackers used Net Monitor for Employees Professional as a primary remote access channel and SimpleHelp as a redundant persistence mechanism. Huntress observed Net Monitor being used to download SimpleHelp and to execute commands, including attempts to tamper with Windows Defender. In a separate incident, attackers gained access via a compromised VPN account, installed Net Monitor, configured it to call back to a command-and-control server over port 443, and disguised it using names including OneDriveSvbc, OneDriver.exe, and later svchost.exe. Attackers also installed SimpleHelp and used its agent to search the desktop for cryptocurrency-related and remote-access-related keywords, likely to identify valuable assets and determine whether the machine was actively being accessed. The reporting ties Crazy ransomware activity to abuse of legitimate RMM and employee-monitoring tools for intrusion, persistence, and evasion. No specific threat actor attribution beyond the operators attempting to deploy Crazy ransomware is provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Lateral Movement
1 technique
Lateral Movement
Command and Control
1 technique
Command and Control
Threat intel published by the firm Wednesday detailed two early 2026 incidents in which hackers used Net Monitor for Employees Professional and SimpleHelp for nefarious ends - in one case attempting to deploy "Crazy" ransomware, a variant belonging to the VoidCrypt ransomware family.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware operation noted for using a legitimate employee-monitoring tool as a pre-encryption backdoor.
A ransomware variant in the VoidCrypt family that threat actors attempted to deploy after using remote monitoring and management software for access and persistence.
Ransomware deployed in intrusions that abuse legitimate remote access/monitoring tools (Net Monitor and SimpleHelp) for access, persistence, reconnaissance, and payload delivery.
Ransomware deployed in intrusions that abuse legitimate remote monitoring/management and workforce monitoring tools (Net Monitor and SimpleHelp) for access, persistence, and payload deployment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.