United States government agencies recently released a joint Cybersecurity Advisory (CSA) providing information on how North Korean state-sponsored threat actors are actively using Maui ransomware to attack healthcare organizations.
The FBI says that since May 2021, North Korea threat actors have used Maui to encrypt servers responsible for healthcare services, such as electronic health records services, diagnostics services, imaging services, and intranet services.
It adds that these perpetrators are likely targeting the healthcare sector because they assume the organizations would be willing to pay the ransom, as they provide critical services and can ill afford any downtime.
The advisory reminds organizations that the U.S. government "highly discourages" paying ransoms, since it does not guarantee files and records will be recovered and may pose additional risks.
While large and active Ransomware-as-a-Service (RaaS) gangs like Conti, LockBit, and BlackCat always make headlines with their operations, it's important to learn about smaller ransomware families, as they can provide insight and help us understand more about cybercrime gangs as a whole.
Silas Cutler, Principal Reverse Engineer at security firm Stairwell, authored a report detailing Maui and what his team uncovered about the lesser-known ransomware variant. The report was published on June 7, 2022.
The Stairwell research team says that Maui "stood out" because it lacked some basic components commonly seen in other ransomware strains. Things such as an embedded ransom note with recovery instructions or an automated way of transmitting encryption keys to attackers were absent in Maui.
It is because of this that researchers think Maui is manually operated, meaning the threat actor(s) is specifically choosing what files to encrypt and then exfiltrating the results.
Silas provides a technical overview of Maui ransomware:
"The earliest identified copy of Maui was first collected by Stairwell's inception platform on 3 April 2022. All identified copies of Maui (as of this report) have shared a compilation timestamp of 15 April 2021 04:36:00 UTC. Based on overlapping compilation timestamps and error messages, it is believed that Maui is configured using an unidentified external builder.
Maui is believed to be designed for manual execution by attackers. When executed at the command line without any arguments, Maui prints usage information, detailing supported command-line parameters. The only required argument is a folder path, which Maui will parse and encrypt identified files."
The figure below shows Maui command line usage details:
The report continues:
"Embedded usage instructions and the assessed use of a builder is common when there is an operational separation between developers and users of a malware family. The Stairwell research team has not identified any public offerings for Maui and assesses that it is likely privately developed."
For more technical information, please see the report from Stairwell.
So, why would a cybercriminal use manually operated ransomware? It would seemingly be easy to fork over the crypto to use a popular RaaS. Tim McGuffin, Director of Adversarial Engineering at LARES Consulting, discusses the benefits to manual ransomware:
"This is still fairly rare, however, it's a good method to bypass modern Endpoint Protection and Canary files that would alert and kill automated, system-wide ransomware.
By targeting specific files, the attackers get to choose what is sensitive and what to exfiltrate in a much more tactical fashion when compared to a 'spray-and-pray' ransomware. This can show "good faith" from the ransomware group by allowing targeting and recovery of just sensitive files and not having to rebuild the entire server if the Operating System files are encrypted as well.
This 100% provides a stealth and surgical approach to ransomware, preventing defenders from alerting on automated ransomware, making it more difficult to use timing or behavior-based approaches to detection or response.
On the plus side, manual execution allows mature defense teams the ability to respond before the entire environment is encrypted, and allows for recovery from backups for specific folders instead of rebuilding the systems or environment from the ground up."
It is no secret that countries like North Korea and China have relied upon stealing trade secrets from other countries and organizations to develop their technologies in the last few decades. With the way that organizations have adapted to remote work in the last two years, it has become much easier for threat actors to access that sensitive data.
With the benefits McGuffin discussed when it comes to using manually operated ransomware, it's no surprise to see North Korea using it.
Aaron Turner, CTO at Vectra, shares his thoughts on Maui:
"This Maui campaign is interesting in that a ransomware campaign is being selective, however, if North Korea is really involved, then it is conceivable that the ransomware activities are only an after-thought for when attackers have exfiltrated the selected data that they want before initiating the encryption of files to block access.
In my opinion, this use of operator-driven selective encryption is most likely an indicator that the Maui campaign is not just a ransomware activity, but most likely a combination of intellectual property theft / industrial espionage combined with opportunistic monetization activities through ransomware."
If you work for a healthcare organization, or really any organization in critical infrastructure, it's important to take these warnings from the government seriously. It can be tiresome to continually hear about a new threat from North Korea, or China, or Russia, and it's easy to say "Oh, this probably won't happen to me." But in some cases, ransomware attacks can become life threatening under the right circumstances.
Nobody wants to be part of the organization that got hacked because they simply forgot to update their software.
For Maui ransomware specifically, the CSA provides a list of mitigations:
Follow SecureWorld News for the latest stories involving cybersecurity.