Security news that informs and inspires
Flag od North Korea

CISA: North Korea-Backed Actors Using Maui Ransomware

Attackers backed by the North Korean government are using a custom ransomware variant known as Maui to target health care and public health organizations with manual intrusions, the US government says in a new advisory.

Maui is a relatively new ransomware strain, and the FBI said it first responded to incidents involving Maui in May 2021. The samples of Maui seen in intrusions thus far have all been compiled in April 2021, according to research by threat intelligence firm Stairwell, which published a detailed analysis of the ransomware Wednesday. Unlike many modern ransomware families, Maui is not offered as a service for affiliates to use in their own intrusions. Instead, researchers say Maui was privately developed and is being deployed by North Korean state-backed actors. Also, Maui does not employ the automation that many other ransomware variants do, but is manually operated by the attackers.

“Maui is believed to be designed for manual execution by attackers. When executed at the command line without any arguments, Maui prints usage information, detailing supported command-line parameters. The only required argument is a folder path, which Maui will parse and encrypt identified files,” the Stairwell analysis by Silas Cutler, principal reverse engineer, says.

“Embedded usage instructions and the assessed use of a builder is common when there is an operational separation between developers and users of a malware family. The Stairwell research team has not identified any public offerings for Maui and assesses that it is likely privately developed.”

Maui has some other unique aspects, such as its lack of a ransom note and no internal mechanism to send the encryption keys for each victim to the attackers.

“Instead of relying upon external infrastructure to receive encryption keys, Maui creates three files in the same directory it was executed from (unless a custom log directory is passed using the -p command line argument) containing the results of its execution. These files are likely exfiltrated by Maui operators and processed by private tooling to generate associated decryption tooling,” Cutler said.

“The FBI assesses North Korean state-sponsored cyber actors have deployed Maui ransomware against Healthcare and Public Health Sector organizations."

In an advisory published Wednesday, the FBI, the Cybersecurity and Infrastructure Security Agency, and Department of the Treasury attributed the use of Maui to North Korean state actors and said that it was unclear how the attackers are gaining initial access to the victim networks.

“Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services. In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods. The initial access vector(s) for these incidents is unknown,” the advisory says.

“The FBI assesses North Korean state-sponsored cyber actors have deployed Maui ransomware against Healthcare and Public Health Sector organizations. The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health. Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting HPH Sector organizations.”

U.S. authorities and security researchers have attributed a number of high-profile intrusions and heists to the North Korean government and actors associated with it. Perhaps the two most well-known operations are the WannaCry ransomware attack and the attack on Bangladesh Bank in which the attackers stole more than $100 million. North Korea-backed actors also have been implicated in attacks on pharmaceutical companies and other organizations in the health field, particularly during the pandemic and its aftermath.