Healthcare organizations targeted with Maui ransomware

A less known ransomware threat dubbed Maui has been and is likely to continue hitting healthcare organizations, a new CISA alert warns.

Maui is unusual in many ways: it does not show a ransom note, it does not rely upon external infrastructure to receive encryption keys, and it does not encrypt files and/or systems indiscriminately. Instead, its operators – believed to be North Korean state-sponsored cyber actors – operate it manually and choose which things to encrypt.

In Maui ransomware incidents the FBI has responded since May 2021, the attackers primarily encrypted servers responsible for healthcare services (electronic health records, diagnostics, imaging, and intranet). “In some cases, these incidents disrupted the services provided by the targeted Healthcare and Public Health (HPH) Sector organizations for prolonged periods,” CISA explained.

Maui ransomware encryption

At the inner layer, files are encrypted using AES with a unique 16-byte key for each file, and the AES keys are RSA-encrypted using a key pair generated the first time Maui is run, Silas Cutler, Principal Reverse Engineer at Stairwell, explained.

“This key pair represents the second layer of encryption and, unless Maui is run under different conditions, will be unique to each system. At the final layer, runtime RSA keys are encrypted, using a different, hard-coded RSA public key (stored at the end of the Maui executable).”

It’s still unknown if this hard-coded public key is unique to campaigns, targeted networks, or individual operators.

Unfortunately, the FBI was unable to discover the initial access vector(s) used in the incidents they responded to, so CISA’s advice encompasses a wide range of mitigation actions organizations can take to minimize the risk of getting compromised via this and other ransomware.

The alert also includes helpful indicators of compromise. In Stairwell’s report there’s YARA rules for defecting the Maui ransomware, as well as a Python script for extracting public RSA keys stored in copies of Maui.

Attack attribution

According to Cutler, all the copies of Maui they have been able to get their hands on and analyze have been configured using an unidentified external builder and the malware contains embedded usage instructions. This all points to “an operational separation between developers and users of a malware family.”

“The Stairwell research team has not identified any public offerings for Maui and assesses that it is likely privately developed,” he noted.

The US authorities have pointed the finger at North Korean state-sponsored actors as the culprits of the attacks – though they haven’t explained why.

“The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” they noted, and urged targeted organizations not to pay the ransom because there is no guarantee their files and records will be recovered, and also because doing so would mean violating US sanctions against North Korea.




Share this