Previous
Learn how PurpleSec’s experts can protect your business against the latest cyber attacks.
Author: Dušan Trojanović / Last Updated: 7/26/2022
Reviewed By: Dalibor Gašić, & Michael Swanagan, CISSP, CISA, CISM
View Our: Editorial Process
Table Of Contents
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury released a joint Cybersecurity Advisory (CSA) to provide information on Maui ransomware, which is claimed to have been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.
In June 2022, the Stairwell research team investigated one of lesser-known ecosystems of Ransomware-as-a-Service, the Maui ransomware.
Maui has been shown to have a lack of several key features which are commonly seen with tooling from RaaS providers, such as an embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers.
Instead, Stairwell research team believe that Maui is manually operated, in which operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artifacts.
Security awareness training also promotes a heightened level of attention to the subtle activities performed by a threat actor, who has the objective of illegally obtaining your data or to damage your corporate resources.
How PurpleSec Helps To Secure Your Organization
Our vulnerability management services and penetration testing services provide a holistic approach to securing what’s most important to you.
Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations.
North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services, including electronic health records services, diagnostics services, imaging services, and intranet services.
In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods.
The initial access vector(s) for these incidents is unknown.
The earliest identified copy of Maui…
(SHA256 hash: 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e)
…was first collected by Stairwell’s inception platform on 3 April 2022.
Maui is believed to be designed for manual execution by attackers.
When executed at the command line without any arguments, Maui prints usage information, detailing supported command-line parameters.
The only required argument is a folder path, which Maui will parse and encrypt identified files.
Maui command line usage details:
Instead of relying upon external infrastructure to receive encryption keys, Maui creates three files in the same directory it was executed from (unless a custom log directory is passed using the -p command line argument) containing the results of its execution.
These files are likely exfiltrated by Maui operators and processed by private tooling to generate associated decryption tooling.
Indicators of Compromise (IOCs) obtained from FBI incident response activities since May 2021 provided below:
Maui uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt [T1486] target files:
While Maui is encrypting files, it outputs status information back to operators. Command line output during execution:
The advisory also provides mitigation steps organizations can to prepare for, or deal with attacks using Maui ransomware.
Thankfully, although Maui may be a little different from run-of-the-mill ransomware, the steps to protect against it are not:
We hope that this article will guide you to this recent attack and give you good advice on how to protect yourself and your organization.
The best advice that can be given is always to keep your systems and service updated as soon as they are available.
Related Articles:
Dušan is a Senior Security Engineer actively working as a penetration tester in DevSecOps projects. He is also an avid security researcher bringing forward analysis on the latest attacks and techniques.
Related Articles
Popular Articles
Ransomware Attacks
Preventing Attacks