Maui Ransomware: North Korean Threat Actors Attack Healthcare Sector

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On July 06, 2022, The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of the Treasury of US released a joint advisory on ransomware attacks orchestrated by North Korean threat actors using Maui ransomware [1]. Unlike other state-of-the-art ransomware variants such as REvil, Conti, LockBit, and DarkSide, Maui ransomware is believed to be manually operated and lacks some of the automated functions related to file encryption. However, Maui ransomware and affiliated threat actors still pose a great risk to organizations, especially to the healthcare industry. 

Picus Labs added attack simulations for Maui ransomware to Picus Threat Library, and you can assess your security controls against Maui ransomware attacks with Picus.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

Maui Ransomware

Maui ransomware is locker-type ransomware that utilizes a hybrid encryption approach to render its victim's file useless. North Korean state-sponsored cyber threat actors are known to conduct financially motivated cyber-attacks, and CISA identified that they have been using Maui ransomware since May 2021. Organizations in the healthcare industry were the target of these ransomware attacks.

Maui ransomware falls on the simpler side of the ransomware spectrum because it lacks several characteristics that we often see in other ransomware such as BlackMatter, LockBit, and Conti. 

Here are some aspects that differentiate Maui ransomware from other ransomware.

  • Maui ransomware needs to be manually operated.
    • Threat actors need to specify files to be encrypted.
    • Runtime artifacts, such as RSA public-private key pair, need to be exfiltrated manually.
  • Maui ransomware does not leave a ransom note that describes the payment method or recovery instructions.
  • Maui ransomware relies on a single extortion method and uses data encryption for impact.
    • It does not exfiltrate data or delete system recovery backups to pressure its victims into paying the ransom.
  • Maui ransomware does not incorporate any lateral movement techniques.

Usage: maui [-ptx] [PATH]
Options:
-p dir:   Set Log Directory (Default: Current Directory)
-t n:     Set Thread Count (Default: 1)
-x:       Self Melt (Default: No)

Figure 1: Maui command line usage details [2]

TTPs Used by Maui Ransomware

Maui ransomware uses the following tactics, techniques, and procedures (TTPs):

Tactic: Execution

  • MITRE ATT&CK T1059.008 Command and Scripting Interpreter: Network Device CLI

Since Maui ransomware requires manual operation, remote threat actors use the command-line interface to encrypt the victim's files.

Tactic: Impact

  • MITRE ATT&CK T1486 Data Encrypted for Impact

Maui ransomware uses a hybrid encryption approach and utilizes AES, RSA, and XOR encryption in various attack steps.

  • Maui contains a hard-coded RSA public key in its executable and generates a new RSA public-private key pair using the hard-coded public key at the beginning of encryption.
  • The new private key is stored as "maui.evd".
  • Then, Maui generates a 16-byte XOR key using information about "\\.\PhysicalDrive0" and encodes the new public key with the XOR key.
  • The encoded public key is stored as "maui.key"
  • Maui uses AES 128-bit symmetric encryption in CBC mode to encrypt the victim's files.
  • Each file is encrypted with a unique secret key. 
  • After file encryption, Maui encrypts the secret key with the new public key generated in the first step.

How Picus Helps Simulate Maui Ransomware Attacks?

We also strongly suggest simulating Maui ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus' The Complete Security Control Validation Platform. You can test your defenses against Maui ransomware and hundreds of other ransomware such as Conti, DarkSide, and REvil (Sodinokibi) within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Maui ransomware

ID

Threat Name

56700

Maui Ransomware Download Threat

64940

Maui Ransomware Email Threat


Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus' The Complete Security Control Validation Platform.

Indicators of Compromises

SHA-256

MD5

SHA-1

45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78

9b0e7c460a80f740d455a7521f0eada1

271b90824c7bb1de98c7fa9dae6dcd59d8a0bd64

830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570

2d02f5499d35a8dffb4c8bc0b7fec5c2

870ccd59ad2d3808c014c7c1dcc8a54de375db0c

5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e

4118d9adce7350c3eedeb056a3335346

c0e6d59e99e4adb58a2f57abf0deba61dee55c2f

References

[1]https://www.cisa.gov/uscert/sites/default/files/publications/aa22-187a-north-korean%20state-sponsored-cyber-actors-use-maui-ransomware-to-target-the-hph-sector.pdf

[2]https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf