Maui Ransomware: North Korean Threat Actors Attack Healthcare Sector

On July 06, 2022, The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of the Treasury of US released a joint advisory on ransomware attacks orchestrated by North Korean threat actors using Maui ransomware [1]. Unlike other state-of-the-art ransomware variants such as REvil, Conti, LockBit, and DarkSide, Maui ransomware is believed to be manually operated and lacks some of the automated functions related to file encryption. However, Maui ransomware and affiliated threat actors still pose a great risk to organizations, especially to the healthcare industry. 

Picus Labs added attack simulations for Maui ransomware to Picus Threat Library, and you can assess your security controls against Maui ransomware attacks with Picus.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

Maui Ransomware

Maui is a locker-style ransomware family that uses a hybrid encryption scheme to scramble files and make them unusable without the attacker’s decryption keys. The malware targets servers and critical data stores, encrypting documents, databases, and backups to maximize operational disruption. Analysts have observed operators deploying Maui in carefully staged intrusions, often after gaining privileged access and identifying high value systems. The result is rapid encryption across core services, followed by a ransom demand that pressures victims with downtime and potential data loss.

CISA has linked Maui to North Korean state sponsored actors engaged in financially motivated cyberattacks, with activity traced back to at least May 2021. Healthcare organizations have been frequent targets because of the sector’s reliance on continuous availability and sensitive patient data. Campaigns typically involve credential theft, remote access through exposed services, and the disabling of security tools before the ransomware is launched. To reduce risk, organizations should enforce multifactor authentication for administrative and remote access, segment critical systems, maintain tested offline backups, and monitor for lateral movement and suspicious encryption behavior. Continuous validation of detection and response controls helps confirm that defenses can spot Maui’s techniques before widespread encryption occurs.

Maui ransomware falls on the simpler side of the ransomware spectrum because it lacks several characteristics that we often see in other ransomware such as BlackMatter, LockBit, and Conti. 

Here are some aspects that differentiate Maui ransomware from other ransomware.

• Maui ransomware needs to be manually operated.
• Threat actors need to specify files to be encrypted.
• Runtime artifacts, such as RSA public-private key pair, need to be exfiltrated manually.
• Maui ransomware does not leave a ransom note that describes the payment method or recovery instructions.
• Maui ransomware relies on a single extortion method and uses data encryption for impact.
• It does not exfiltrate data or delete system recovery backups to pressure its victims into paying the ransom.
• Maui ransomware does not incorporate any lateral movement techniques.

Figure 1: Maui command line usage details [2]

TTPs Used by Maui Ransomware

Maui ransomware uses the following tactics, techniques, and procedures (TTPs):

Tactic: Execution

• MITRE ATT&CK T1059.008 Command and Scripting Interpreter: Network Device CLI

Since Maui ransomware requires manual operation, remote threat actors use the command-line interface to encrypt the victim's files.

Tactic: Impact

• MITRE ATT&CK T1486 Data Encrypted for Impact

Maui ransomware uses a hybrid encryption approach and utilizes AES, RSA, and XOR encryption in various attack steps.

• Maui contains a hard-coded RSA public key in its executable and generates a new RSA public-private key pair using the hard-coded public key at the beginning of encryption.

• The new private key is stored as "maui.evd".

• Then, Maui generates a 16-byte XOR key using information about "\\.\PhysicalDrive0" and encodes the new public key with the XOR key.

• The encoded public key is stored as "maui.key"

• Maui uses AES 128-bit symmetric encryption in CBC mode to encrypt the victim's files.

• Each file is encrypted with a unique secret key. 

• After file encryption, Maui encrypts the secret key with the new public key generated in the first step.

How Picus Helps Simulate Maui Ransomware Attacks?

We also strongly suggest simulating Maui ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus' The Complete Security Control Validation Platform. You can test your defenses against Maui ransomware and hundreds of other ransomware such as Conti, DarkSide, and REvil (Sodinokibi) within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Maui ransomware: 

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of Picus' The Complete Security Control Validation Platform.

Indicators of Compromises

References

[1]https://www.cisa.gov/uscert/sites/default/files/publications/aa22-187a-north-korean%20state-sponsored-cyber-actors-use-maui-ransomware-to-target-the-hph-sector.pdf

[2]https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf