North Korean State Sponsored Hackers Target US Health Providers With ‘Maui’ Ransomware
Maui Ransomware
(CISA), The (FBI) and the Department of the Treasury (Treasury) have released a joint Cybersecurity Advisory (CSA), showing North Korean state-sponsored cyber actors are using the Maui ransomware to target Healthcare and Public Health (HPH) Sector organizations in the US.
The North Korean state-sponsored hackers used Maui ransomware to encrypt servers responsible for healthcare services. The servers contain electronic health records services, diagnostics services, imaging services & intranet services. Please see the following alert(AA22-187A) summary and technical details Advisory.
Technical Details
Maui ransomware (maui.exe) is an encryption binary. According to industry analysis of a sample of Maui (SHA256: 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e) provided in Stairwell Threat Report: Maui Ransomware—the ransomware appears to be designed for manual execution [TA0002] by a remote actor. The remote actor uses command-line interface [T1059.008] to interact with the malware and to identify files to encrypt.
Maui uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt [T1486] target files:
- Maui encrypts target files with AES 128-bit encryption. Each encrypted file has a unique AES key, and each file contains a custom header with the file’s original path, allowing Maui to identify previously encrypted files. The header also contains encrypted copies of the AES key.
- Maui encrypts each AES key with RSA encryption.
- Maui loads the RSA public (
maui.key) and private (maui.evd) keys in the same directory as itself.
- Maui loads the RSA public (
- Maui encodes the RSA public key (
maui.key) using XOR encryption. The XOR key is generated from hard drive information (\\.\PhysicalDrive0).
During encryption, Maui creates a temporary file for each file it encrypts using GetTempFileNameW(). Maui uses the temporary to stage output from encryption. After encrypting files, Maui creates maui.log, which contains output from Maui execution. Actors likely exfiltrate [TA0010] maui.log and decrypt the file using associated decryption tools.
See Stairwell Threat Report: Maui Ransomware for additional information on Maui ransomware, including YARA rules and a key extractor.
At the time of this post CISA does not know the identity of the actors and are requesting reporting of any incidents to your local FBI field office. In the mean time CISA recommends the following actions to “mitigate” ransomware attacks.
- Limit access to data by deploying public key infrastructure and digital certificates.
- Use standard user accounts on internal systems instead of administrative accounts.
- Turn off network device management interfaces such as Telnet, SSH, Winbox, and HTTP for wide area networks (WANs).
- Secure personal identifiable information (PII)/patient health information (PHI) at collection points.
- Protect stored data by masking the permanent account number (PAN).
- Secure the collection, storage, and processing practices.
- Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.
If you are looking for Malware/Ransomware help for your company, please give MPG online a call at 678-824-5990 today and let us help you or click here to learn more about our Malware Protection.
Acknowledgements
CISA, Stairwell
What is a Managed Service Provider (MSP)?
Website Browsing is it Really Private?
You must be logged in to post a comment.