North Korean state-sponsored cyber threat actors have used Maui ransomware to target both the healthcare and public health sectors, according to U.S. cybersecurity alerts.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) released the joint Cybersecurity Advisory (CSA) to provide information — including tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) — on Maui ransomware obtained from FBI incident response activities and industry analysis of a Maui sample. 

Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services, including electronic health records, diagnostics, imaging, and intranet services. In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods. The initial access vector(s) for these incidents is unknown.

Maui ransomware is an encryption binary. An analysis of a sample of Maui provided in Stairwell Threat Report: Maui Ransomware — the ransomware appears to be designed for manual execution by a remote actor. The remote actor uses a command-line interface to interact with the malware and to identify files to encrypt. 

Maui uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt target files:

1. Maui encrypts target files with AES 128-bit encryption. Each encrypted file has a unique AES key, and each file contains a custom header with the file’s original path, allowing Maui to identify previously encrypted files. The header also contains encrypted copies of the AES key.
2. Maui encrypts each AES key with RSA encryption. Maui loads the RSA public and private keys in the same directory as itself. 
3. Maui encodes the RSA public key using XOR encryption. The XOR key is generated from hard drive information).

According to Aaron Turner, CTO, SaaS Protect at Vectra, the Maui campaign is interesting in that a ransomware campaign is being selective. “However, if North Korea is really involved, then it is conceivable that the ransomware activities are only an after-thought for when attackers have exfiltrated the selected data that they want before initiating the encryption of files to block access.”

Turner believes the use of operator-driven selective encryption is most likely an indicator that the Maui campaign is not just a ransomware activity, “but most likely a combination of intellectual property theft / industrial espionage combined with opportunistic monetization activities through ransomware.”

The FBI, CISA, and Treasury urge Healthcare and Public Health (HPH) Sector organizations as well as other critical infrastructure organizations to apply the recommendations in the mitigations section of the CSA to reduce the likelihood of compromise from ransomware operations. Victims of Maui ransomware should report the incident to their local FBI field office or CISA. 

See Stairwell Threat Report: Maui Ransomware for additional information on Maui ransomware, see CISA's Alert for mitigation strategies.