Threat Research

Ransomware Roundup – Maori | FortiGuard Labs

Securonix

FortiGuard Labs’ Ransomware Roundup highlights Maori, a Linux-targeting ransomware written in Go that encrypts files in the home directory and demands payment for decryption. The report notes ransom notes, contact methods via Tox and onionmail, and Fortinet protections and guidance for defense. #MaoriRansomware #Linux #Go

Keypoints

  • Maori is a ransomware variant that targets Linux systems and encrypts files in the user home directory.
  • It is coded in Go and designed for Linux architecture, adding analysis complexity.
  • The infection vector is not disclosed, but is presumed similar to other ransomware groups and not widely spread currently.
  • Encrypted files receive a .maori extension and a README_MAORI.txt ransom note is dropped in each affected directory.
  • The entire contents of affected files are encrypted, not just portions, making files larger after encryption.
  • The ransom note instructs victims to contact Maori operators via Tox and onionmail as a backup communications method.
  • The malware deletes itself after completing encryption to avoid traces.
  • Fortinet provides protections (AV, FortiEDR) and guidance on backups, phishing awareness, and security best practices to mitigate ransomware.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – The ransomware encrypts files on victims’ machines to extort money. “encrypts files on the compromised machine and demands ransom for file decryption”
  • [T1070.004] File Deletion – The malware deletes itself after completion. “The Maori executable deletes itself from the victim machine.”
  • [T1071.001] Web Protocols – The ransom note instructs contacting operators via Tox and onionmail. “The ransom note asks the victim to contact them using Tox (a peer-to-peer, end-to-end encrypted messenger application). It also provides an onionmail e-mail address as a backup communication method.”

Indicators of Compromise

  • [SHA256] a5ed581ad5cd1a2f29473cb56116cd179bfe61a924969b2dedbe07660eef9bc5 – Maori ransomware
  • [File extension] .maori – appended to encrypted files
  • [File name] README_MAORI.txt – ransom note dropped in directories with encrypted files
  • [Signature] ELF/Filecoder.933E!tr – FortiGuard Labs AV signature for Maori
  • [Malware] Maori ransomware – ransomware family name

Read more: https://www.fortinet.com/blog/threat-research/ransomware-roundup-maori

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint