Maui Ransomware Attacking Healthcare
And Public Health Sector

Contents

Summary Of The Attack

  • North Korean state-sponsored cyber actors are attacking U.S. Healthcare and Public Health (HPH) Sector organizations since at least May 2021.
  • These incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods.
  • Compared to other ransomware attacks Maui ransomware is believed to be designed for manual execution by attackers.
  • The attack can be prevented by maintaining off-site offline backups, keeping operating systems, and applications, keeping firmware up to date, and having a proper cybersecurity response plan.
.

What Happened?

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury released a joint Cybersecurity Advisory (CSA) to provide information on Maui ransomware, which is claimed to have been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.

In June 2022, the Stairwell research team investigated one of lesser-known ecosystems of Ransomware-as-a-Service, the Maui ransomware.

Maui has been shown to have a lack of several key features which are commonly seen with tooling from RaaS providers, such as an embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers.

Instead, Stairwell research team believes that Maui is manually operated, in which operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artifacts.

Security awareness training also promotes a heightened level of attention to the subtle activities performed by a threat actor, who has the objective of illegally obtaining your data or damaging your corporate resources.

What Is Maui Ransomware?

Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations.

North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services, including electronic health records services, diagnostics services, imaging services, and intranet services.

In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods.

 

The initial access vector(s) for these incidents is unknown.

The earliest identified copy of Maui…

(SHA256 hash: 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e)

…was first collected by Stairwell’s inception platform on 3 April 2022.

Maui is believed to be designed for manual execution by attackers.

When executed at the command line without any arguments, Maui prints usage information, detailing supported command-line parameters.

The only required argument is a folder path, which Maui will parse and encrypt identified files.

Maui command line usage details:

Maui command line usage details