Three US agencies have warned of a lesser-known ransomware called Maui, which has been targeting IT services at healthcare and public health organizations since May 2021.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) issued a new warning this week about Maui ransomware — a Windows executable “maui.exe” — so early. analysis suggests is designed for attackers to manually select files for encryption.
The FBI has attributed Maui attacks to North Korean state-sponsored cyber attackers and has been responding to incidents at U.S. healthcare organizations since May 2021.
The agencies believe that Maui health attacks will continue because the attackers assume that these organizations will pay.
“The FBI assesses that North Korean state-sponsored cyber actors have deployed Maui ransomware against healthcare organizations and the public health sector (HPH). North Korean state-sponsored cyber actors likely believe that healthcare organizations are willing to pay ransoms pay because these organizations provide services critical to human life and health,” the warning is†
“Because of this assumption, the FBI, CISA and Treasury assess that DPRK state-sponsored actors are likely to continue targeting HPH sector organizations.”
The Agencies’ Alert References a report by security firm Stairwell principal reverse engineer, Silas Cutler. Stairwell does not attribute Maui to an actor in his report.
But Cutler says Maui differs from better-known ransomware-as-a-service gangs like Conti, LockBit, and BlackCat because Maui doesn’t have an embedded ransom note with recovery instructions, and it appears to be manually operated by attackers via the command line. Stairwell notes that Maui uses a similar file encryption strategy that Conti used in 2021.
The FBI says it has been responding to multiple Maui ransomware incidents at healthcare organizations since May 2021 that targeted several healthcare IT services for encryption.
“North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for health care services, including electronic health records, diagnostic services, imaging services and intranet services,” the agencies say in the warning.
“In some cases, these incidents have disrupted the services of the targeted HPH Sector organizations for extended periods of time. The initial access vector(s) for these incidents is unknown.”
Not knowing how the attackers initially gained access to victim networks, the agencies are warning organizations to beware of common attack vectors, including phishing emails and attacks on Remote Desktop Protocol (RDP) services and virtual desktop infrastructure.
It also urges healthcare organizations to deploy public key cryptography and digital certificates to verify network connections, Internet of Things medical devices, and electronic health records.
Maui’s design for selectively targeting files and certain sectors is vastly different from WannaCry, the only other ransomware attributed to North Korean state-sponsored actors in CISA’s Overview of Cyber Threats in North Korea†
Most recent cyber threat warnings from North Korea Concerned About Major Hacks On Cryptocurrency Exchanges by the Lazarus group and its subgroups.
In particular, the warning highlights a ransomware advice from Treasury updated in September 2021 to warn of sanctions and risks for organizations making ransomware payments to groups designated by the Treasury’s Office of Foreign Assets Control (OFAC).
Sanction violations could be treated more discreetly if incidents and ransom payments by victims are reported to law enforcement.
“The updated advisory states that when affected parties take these proactive steps, the United States Treasury Department is more likely to release clear sanctions related to ransomware attacks with a non-public enforcement response,” the warning reads.
The US is stricter rules for federal agencies to report cybersecurity incidents and ransomware payments through the Strengthening the US Cybersecurity Actpassed by the Senate in March.