Threat Research

North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector | CISA

Securonix

This joint Cybersecurity Advisory explains that Maui ransomware has been used by North Korean state-sponsored actors since May 2021 to target Healthcare and Public Health sector organizations, detailing TTPs and IOCs. It urges mitigations and reporting, and warns against paying ransoms due to sanctions and reliability concerns. #MauiRansomware #NorthKoreanStateSponsoredActors #HealthcarePublicHealthSector #FBI #CISA #Treasury

Keypoints

  • The FBI, CISA, and Treasury describe Maui ransomware as a tool used by North Korean state-sponsored actors against Healthcare and Public Health sector organizations since May 2021.
  • Maui encrypts healthcare-related servers and services (electronic health records, diagnostics, imaging, intranet) using a mix of AES, RSA, and XOR, with per-file AES keys and RSA-encrypted keys.
  • The malware operates via a command-line interface to identify files to encrypt, indicating manual execution by a remote actor.
  • Maui creates temporary staging files during encryption and generates a Maui log, which may be exfiltrated for decryption control.
  • IoCs include specific filenames (maui.exe, maui.log, maui.key, maui.evd, aui.exe) and multiple MD5/SHA-256 hashes linked to Maui samples.
  • Mitigations emphasize offline backups, patching, least-privilege access, network segmentation, MFA, phishing training, and robust incident response planning.

MITRE Techniques

  • [T1059.008] Command-Line Interface – The remote actor uses command-line interface to interact with the malware and to identify files to encrypt. β€œThe remote actor uses command-line interface [T1059.008] to interact with the malware and to identify files to encrypt.”
  • [T1486] Data Encrypted for Impact – Maui encrypts target files with AES 128-bit encryption, using unique AES keys and RSA-encrypted keys. β€œMaui encrypts target files with AES 128-bit encryption.”
  • [T1132.001] Data Encoding – Maui encodes the RSA public key using XOR encryption, with the XOR key generated from hard drive information. β€œMaui loads the RSA public (maui.key) and private (maui.evd) keys… Maui encodes the RSA public key (maui.key) using XOR encryption. The XOR key is generated from hard drive information (.PhysicalDrive0).”
  • [T1074] Data Staged – During encryption, Maui creates a temporary file for each file it encrypts to stage output from encryption. β€œDuring encryption, Maui creates a temporary file for each file it encrypts using GetTempFileNameW().”
  • [T1041] Exfiltration – Actors likely exfiltrate maui.log and decrypt the file using associated decryption tools. β€œActors likely exfiltrate Maui.log and decrypt the file using associated decryption tools.”

Indicators of Compromise

  • [Filename] Maui ransomware IOCs observed – maui.exe, maui.log, maui.key, maui.evd, aui.exe
  • [MD5 Hash] Example hashes – 4118d9adce7350c3eedeb056a3335346, 9b0e7c460a80f740d455a7521f0eada1
  • [SHA256 Hash] Example hashes – 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e, 45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78

Read more: https://www.cisa.gov/uscert/ncas/alerts/aa22-187a