CISA Alert AA23-040A: Maui and HolyGhost Ransomware Target Critical Infrastructure

The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On February 09, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory on ransomware attacks against the Healthcare sector and other critical infrastructure in the United States and South Korea [1]. The CISA states that North Korean state-sponsored threat actors are responsible for these ransomware attacks. In their attacks, the North Korean adversaries exploited known critical vulnerabilities and deployed Maui and HolyGhost ransomware.

Picus Threat Library already had attack simulations for Maui and HolyGhost ransomware. In this blog, we explain tactics, techniques, and procedures used by the North Korean threat actors and how you can assess your security posture against Maui and HolyGhost ransomware attacks.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

Maui and HolyGhost Ransomware

North Korean state-sponsored threat actors are infamous for their financially motivated ransomware attacks. The Maui and HolyGhost ransomware group has been actively conducting ransomware attacks in favor of the North Korean government since 2021, and they often target healthcare organizations and critical infrastructure in the United States and South Korea.

Although the Maui ransomware uses a hybrid encryption approach to lock its victim’s files, it does not have other sophisticated characteristics observed in other North Korean ransomware groups [2].

  • Maui ransomware is operated manually, and it requires threat actors to specify the files to be encrypted.
  • Threat actors need to manually exfiltrate runtime artifacts, such as RSA public-private key pair.
  • Maui ransomware does not leave a ransom note for payment methods or recovery instructions.
  • Maui ransomware uses a single extortion method and does not exfiltrate the victim’s data for extortion.

Unlike Maui, HolyGhost ransomware follows the latest ransomware trends. The HolyGhost ransomware uses a hybrid encryption approach and exfiltrates their victim’s sensitive data for double extortion [3]. The HolyGhost group also moves laterally in the compromised network to infect other hosts to amplify its impact. HolyGhost ransomware has multiple variants written in different languages, such as C++ and Go. The ransomware is known to be affiliated with the North Korean threat group PLUTONIUM (aka DarkSeoul or Andariel). 

TTPs Used by North Korean Ransomware Threat Actors

Tactic: Initial Access

T1190 Exploit Public-Facing Application

The North Korean adversaries use known and high-impact vulnerabilities given below to gain initial access to their victim’s network. These vulnerabilities have patches or mitigation methods available; please apply them if you have not already.

Affected Product

CVE Number

CVSS Score

Apache Log4j Library

CVE-2021-44228

10.0 (Critical)

SonicWall SMA

CVE-2021-20038

9.8 (Critical)

TerraMaster NAS

CVE-2022-24990

N/A

T1195 Supply Chain Compromise

X-Popup is an open-source messenger that is popular among healthcare employees in South Korea. The threat actors masquerade their malicious trojan files as “X-Popup” and spread the malware using various fake domains that have similar names.

Tactic: Discovery

T1083 File and Directory Discovery

After initial access, adversaries use custom malware to conduct reconnaissance and collect information about the compromised host and network. The collected information is exfiltrated to a remote host controlled by the threat actors.

Tactic: Impact

T1486 Data Encrypted for Impact

Maui and HolyGhost ransomware uses a hybrid encryption approach and utilizes AES, RSA, and XOR encryption in various attack steps.

How Picus Helps Simulate Maui and HolyGhost Ransomware Attacks?

We also strongly suggest simulating Maui and HolyGhost ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware, such as Hive, Zeppelin, and LockBit, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Maui ransomware

Threat ID

Threat Name

Attack Module

56700

Maui Ransomware Download Threat

Network Infiltration

64940

Maui Ransomware Email Threat

Email Infiltration (Phishing)

Picus Threat Library includes the following threats for HolyGhost ransomware:

Threat ID

Action Name

Attack Module

20076

H0lyGh0st Ransomware Malware Download Threat

Network Infiltration

41450

H0lyGh0st Ransomware Malware Email Threat

Email Infiltration (Phishing)

97451

DEV-0530 Threat Group Campaign Malware Download Threat

Network Infiltration

75946

DEV-0530 Threat Group Campaign Malware Email Threat

Email Infiltration (Phishing)

Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Maui and HolyGhost ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Maui and HolyGhost:

Security Control

Signature ID

Signature Name

Check Point NGFW

0E0B5D59A

Trojan.Win32.9033bbVq.TC.9033XddV

Check Point NGFW

0FA12CB4C

TS_Ransomware.Win32.HolyGhost.TC.3cffirdc

Check Point NGFW

0B3C5D611

Trojan.Win32.f8a6UbjK.TC.f8a6KKxW

Check Point NGFW

0F19A7B54

Ransomware.Win32.Maui.TC.a

Check Point NGFW

0F462F9D5

Ransomware.Win32.Maui.TC.b

Check Point NGFW

0C2EF27F0

Ransomware.Win32.Maui.TC.g

Cisco Firepower

 

W32.Auto:99fc54786a.in03.Talos

Forcepoint NGFW

 

File_Malware-Blocked

Fortigate AV

10098659

W32/Filecoder.OLY!tr

Fortigate AV

7254453

W32/Filecoder.AX!tr

Fortigate AV

10096964

W32/MAUICRYPT.YACC5!tr.ransom

Fortigate AV

10096548

W32/Agent.C5C2!tr

Fortigate AV

58991

W32/PossibleThreat

McAfee

0x4840c900

MALWARE: Malicious File Detected by GTI

Palo Alto NGFW

520347128

trojan/Win32.bodegun.df

Palo Alto NGFW

520347131

ransomware/Win32.dha.e

Palo Alto NGFW

520483088

ransomware/Win32.dha.d

Palo Alto NGFW

503690705

trojan/Win32.zusy.tns

Palo Alto NGFW

517159826

Ransom/Win32.maui.a


Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus The Complete Security Validation Platform.

References

[1] “#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities.” [Online]. Available: https://www.cisa.gov/uscert/ncas/alerts/aa23-040a. [Accessed: Feb. 10, 2023]

[2] H. C. Yuceel, “Maui Ransomware: North Korean Threat Actors Attack Healthcare Sector,” Jul. 07, 2022. [Online]. Available: https://www.picussecurity.com/resource/maui-ransomware-north-korean-threat-actors-attack-healthcare-sector. [Accessed: Feb. 10, 2023]

[3] H. C. Yuceel, “H0lyGh0st - North Korean Threat Group Strikes Back With New Ransomware,” Jul. 29, 2022. [Online]. Available: https://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware. [Accessed: Feb. 10, 2023