Top Ten ATT&CK Techniques: The Rise of ‘Hunter-Killer’ Malware
Read More
Huseyin Can YUCEEL | July 07, 2022
On July 06, 2022, The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of the Treasury of US released a joint advisory on ransomware attacks orchestrated by North Korean threat actors using Maui ransomware [1]. Unlike other state-of-the-art ransomware variants such as REvil, Conti, LockBit, and DarkSide, Maui ransomware is believed to be manually operated and lacks some of the automated functions related to file encryption. However, Maui ransomware and affiliated threat actors still pose a great risk to organizations, especially to the healthcare industry.
Picus Labs added attack simulations for Maui ransomware to Picus Threat Library, and you can assess your security controls against Maui ransomware attacks with Picus.
Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform
Maui ransomware is locker-type ransomware that utilizes a hybrid encryption approach to render its victim's file useless. North Korean state-sponsored cyber threat actors are known to conduct financially motivated cyber-attacks, and CISA identified that they have been using Maui ransomware since May 2021. Organizations in the healthcare industry were the target of these ransomware attacks.
Maui ransomware falls on the simpler side of the ransomware spectrum because it lacks several characteristics that we often see in other ransomware such as BlackMatter, LockBit, and Conti.
Here are some aspects that differentiate Maui ransomware from other ransomware.
Usage: maui [-ptx] [PATH] |
Figure 1: Maui command line usage details [2]
Maui ransomware uses the following tactics, techniques, and procedures (TTPs):
Since Maui ransomware requires manual operation, remote threat actors use the command-line interface to encrypt the victim's files.
Maui ransomware uses a hybrid encryption approach and utilizes AES, RSA, and XOR encryption in various attack steps.
We also strongly suggest simulating Maui ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus' The Complete Security Control Validation Platform. You can test your defenses against Maui ransomware and hundreds of other ransomware such as Conti, DarkSide, and REvil (Sodinokibi) within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Maui ransomware:
ID |
Threat Name |
||
56700 |
Maui Ransomware Download Threat |
||
64940 |
Maui Ransomware Email Threat |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus' The Complete Security Control Validation Platform.
SHA-256 |
MD5 |
SHA-1 |
45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78 |
9b0e7c460a80f740d455a7521f0eada1 |
271b90824c7bb1de98c7fa9dae6dcd59d8a0bd64 |
830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570 |
2d02f5499d35a8dffb4c8bc0b7fec5c2 |
870ccd59ad2d3808c014c7c1dcc8a54de375db0c |
5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e |
4118d9adce7350c3eedeb056a3335346 |
c0e6d59e99e4adb58a2f57abf0deba61dee55c2f |
References
[2]https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf