Maui Ransomware: North Korean Threat Actors Attack Healthcare Sector

On July 06, 2022, The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of the Treasury of US released a joint advisory on ransomware attacks orchestrated by North Korean threat actors using Maui ransomware [1]. Unlike other state-of-the-art ransomware variants such as REvil, Conti, LockBit, and DarkSide, Maui ransomware is believed to be manually operated and lacks some of the automated functions related to file encryption. However, Maui ransomware and affiliated threat actors still pose a great risk to organizations, especially to the healthcare industry. 

Picus Labs added attack simulations for Maui ransomware to Picus Threat Library, and you can assess your security controls against Maui ransomware attacks with Picus.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

Maui Ransomware

Maui ransomware is locker-type ransomware that utilizes a hybrid encryption approach to render its victim's file useless. North Korean state-sponsored cyber threat actors are known to conduct financially motivated cyber-attacks, and CISA identified that they have been using Maui ransomware since May 2021. Organizations in the healthcare industry were the target of these ransomware attacks.

Maui ransomware falls on the simpler side of the ransomware spectrum because it lacks several characteristics that we often see in other ransomware such as BlackMatter, LockBit, and Conti. 

Here are some aspects that differentiate Maui ransomware from other ransomware.

• Maui ransomware needs to be manually operated.
• Threat actors need to specify files to be encrypted.
• Runtime artifacts, such as RSA public-private key pair, need to be exfiltrated manually.
• Maui ransomware does not leave a ransom note that describes the payment method or recovery instructions.
• Maui ransomware relies on a single extortion method and uses data encryption for impact.
• It does not exfiltrate data or delete system recovery backups to pressure its victims into paying the ransom.
• Maui ransomware does not incorporate any lateral movement techniques.

Figure 1: Maui command line usage details [2]

TTPs Used by Maui Ransomware

Maui ransomware uses the following tactics, techniques, and procedures (TTPs):

Tactic: Execution

• MITRE ATT&CK T1059.008 Command and Scripting Interpreter: Network Device CLI

Since Maui ransomware requires manual operation, remote threat actors use the command-line interface to encrypt the victim's files.

Tactic: Impact

• MITRE ATT&CK T1486 Data Encrypted for Impact

Maui ransomware uses a hybrid encryption approach and utilizes AES, RSA, and XOR encryption in various attack steps.

• Maui contains a hard-coded RSA public key in its executable and generates a new RSA public-private key pair using the hard-coded public key at the beginning of encryption.

• The new private key is stored as "maui.evd".

• Then, Maui generates a 16-byte XOR key using information about "\\.\PhysicalDrive0" and encodes the new public key with the XOR key.

• The encoded public key is stored as "maui.key"

• Maui uses AES 128-bit symmetric encryption in CBC mode to encrypt the victim's files.

• Each file is encrypted with a unique secret key. 

• After file encryption, Maui encrypts the secret key with the new public key generated in the first step.

How Picus Helps Simulate Maui Ransomware Attacks?

We also strongly suggest simulating Maui ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus' The Complete Security Control Validation Platform. You can test your defenses against Maui ransomware and hundreds of other ransomware such as Conti, DarkSide, and REvil (Sodinokibi) within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Maui ransomware: 

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of Picus' The Complete Security Control Validation Platform.

Indicators of Compromises

References

[1]https://www.cisa.gov/uscert/sites/default/files/publications/aa22-187a-north-korean%20state-sponsored-cyber-actors-use-maui-ransomware-to-target-the-hph-sector.pdf

[2]https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf