.svg)
.svg)
On February 09, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory on ransomware attacks against the Healthcare sector and other critical infrastructure in the United States and South Korea [1]. The CISA states that North Korean state-sponsored threat actors are responsible for these ransomware attacks. In their attacks, the North Korean adversaries exploited known critical vulnerabilities and deployed Maui and HolyGhost ransomware.
Picus Threat Library already had attack simulations for Maui and HolyGhost ransomware. In this blog, we explain tactics, techniques, and procedures used by the North Korean threat actors and how you can assess your security posture against Maui and HolyGhost ransomware attacks.
Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform
Maui and HolyGhost Ransomware
North Korean state-sponsored threat actors are infamous for their financially motivated ransomware attacks. The Maui and HolyGhost ransomware group has been actively conducting ransomware attacks in favor of the North Korean government since 2021, and they often target healthcare organizations and critical infrastructure in the United States and South Korea.
Although the Maui ransomware uses a hybrid encryption approach to lock its victim’s files, it does not have other sophisticated characteristics observed in other North Korean ransomware groups [2].
- Maui ransomware is operated manually, and it requires threat actors to specify the files to be encrypted.
- Threat actors need to manually exfiltrate runtime artifacts, such as RSA public-private key pair.
- Maui ransomware does not leave a ransom note for payment methods or recovery instructions.
- Maui ransomware uses a single extortion method and does not exfiltrate the victim’s data for extortion.
Unlike Maui, HolyGhost ransomware follows the latest ransomware trends. The HolyGhost ransomware uses a hybrid encryption approach and exfiltrates their victim’s sensitive data for double extortion [3]. The HolyGhost group also moves laterally in the compromised network to infect other hosts to amplify its impact. HolyGhost ransomware has multiple variants written in different languages, such as C++ and Go. The ransomware is known to be affiliated with the North Korean threat group PLUTONIUM (aka DarkSeoul or Andariel).
TTPs Used by North Korean Ransomware Threat Actors
Tactic: Initial Access
T1190 Exploit Public-Facing Application
The North Korean adversaries use known and high-impact vulnerabilities given below to gain initial access to their victim’s network. These vulnerabilities have patches or mitigation methods available; please apply them if you have not already.
|
Affected Product |
CVE Number |
CVSS Score |
|
Apache Log4j Library |
CVE-2021-44228 |
10.0 (Critical) |
|
SonicWall SMA |
CVE-2021-20038 |
9.8 (Critical) |
|
TerraMaster NAS |
CVE-2022-24990 |
N/A |
T1195 Supply Chain Compromise
X-Popup is an open-source messenger that is popular among healthcare employees in South Korea. The threat actors masquerade their malicious trojan files as “X-Popup” and spread the malware using various fake domains that have similar names.
Tactic: Discovery
T1083 File and Directory Discovery
After initial access, adversaries use custom malware to conduct reconnaissance and collect information about the compromised host and network. The collected information is exfiltrated to a remote host controlled by the threat actors.
Tactic: Impact
T1486 Data Encrypted for Impact
Maui and HolyGhost ransomware uses a hybrid encryption approach and utilizes AES, RSA, and XOR encryption in various attack steps.
How Picus Helps Simulate Maui and HolyGhost Ransomware Attacks?
We also strongly suggest simulating Maui and HolyGhost ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware, such as Hive, Zeppelin, and LockBit, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Maui ransomware:
|
Threat ID |
Threat Name |
Attack Module |
|
56700 |
Maui Ransomware Download Threat |
Network Infiltration |
|
64940 |
Maui Ransomware Email Threat |
Email Infiltration (Phishing) |
Picus Threat Library includes the following threats for HolyGhost ransomware:
|
Threat ID |
Action Name |
Attack Module |
|
20076 |
H0lyGh0st Ransomware Malware Download Threat |
Network Infiltration |
|
41450 |
H0lyGh0st Ransomware Malware Email Threat |
Email Infiltration (Phishing) |
|
97451 |
DEV-0530 Threat Group Campaign Malware Download Threat |
Network Infiltration |
|
75946 |
DEV-0530 Threat Group Campaign Malware Email Threat |
Email Infiltration (Phishing) |
Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Maui and HolyGhost ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Maui and HolyGhost:
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
0E0B5D59A |
Trojan.Win32.9033bbVq.TC.9033XddV |
|
Check Point NGFW |
0FA12CB4C |
TS_Ransomware.Win32.HolyGhost.TC.3cffirdc |
|
Check Point NGFW |
0B3C5D611 |
Trojan.Win32.f8a6UbjK.TC.f8a6KKxW |
|
Check Point NGFW |
0F19A7B54 |
Ransomware.Win32.Maui.TC.a |
|
Check Point NGFW |
0F462F9D5 |
Ransomware.Win32.Maui.TC.b |
|
Check Point NGFW |
0C2EF27F0 |
Ransomware.Win32.Maui.TC.g |
|
Cisco Firepower |
W32.Auto:99fc54786a.in03.Talos |
|
|
Forcepoint NGFW |
File_Malware-Blocked |
|
|
Fortigate AV |
10098659 |
W32/Filecoder.OLY!tr |
|
Fortigate AV |
7254453 |
W32/Filecoder.AX!tr |
|
Fortigate AV |
10096964 |
W32/MAUICRYPT.YACC5!tr.ransom |
|
Fortigate AV |
10096548 |
W32/Agent.C5C2!tr |
|
Fortigate AV |
58991 |
W32/PossibleThreat |
|
McAfee |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
|
Palo Alto NGFW |
520347128 |
trojan/Win32.bodegun.df |
|
Palo Alto NGFW |
520347131 |
ransomware/Win32.dha.e |
|
Palo Alto NGFW |
520483088 |
ransomware/Win32.dha.d |
|
Palo Alto NGFW |
503690705 |
trojan/Win32.zusy.tns |
|
Palo Alto NGFW |
517159826 |
Ransom/Win32.maui.a |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus The Complete Security Validation Platform.
References
[1] “#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities.” [Online]. Available: https://www.cisa.gov/uscert/ncas/alerts/aa23-040a. [Accessed: Feb. 10, 2023]
[2] H. C. Yuceel, “Maui Ransomware: North Korean Threat Actors Attack Healthcare Sector,” Jul. 07, 2022. [Online]. Available: https://www.picussecurity.com/resource/maui-ransomware-north-korean-threat-actors-attack-healthcare-sector. [Accessed: Feb. 10, 2023]
[3] H. C. Yuceel, “H0lyGh0st - North Korean Threat Group Strikes Back With New Ransomware,” Jul. 29, 2022. [Online]. Available: https://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware. [Accessed: Feb. 10, 2023
