The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) are releasing this joint Cybersecurity Advisory (CSA) to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.
This joint CSA provides informationāincluding tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs)āon Maui ransomware obtained from FBI incident response activities and industry analysis of a Maui sample. The FBI, CISA, and Treasury urge HPH Sector organizations as well as other critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the likelihood of compromise from ransomware operations. Victims of Maui ransomware should report the incident to their local FBI field office or CISA.
The FBI, CISA, and Treasury highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.** Note:** in September 2021, Treasury issued an updated advisory highlighting the sanctions risks associated with ransomware payments and the proactive steps companies can take to mitigate such risks. Specifically, the updated advisory encourages U.S. entities to adopt and improve cybersecurity practices and report ransomware attacks to, and fully cooperate with, law enforcement. The updated advisory states that when affected parties take these proactive steps, Treasuryās Office of Foreign Assets Control (OFAC) would be more likely to resolve apparent sanctions violations involving ransomware attacks with a non-public enforcement response.
For more information on state-sponsored North Korean malicious cyber activity, see CISAās North Korea Cyber Threat Overview and Advisories webpage.
Download the PDF version of this report: pdf, 553 kb.
Click here for STIX.
Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare servicesāincluding electronic health records services, diagnostics services, imaging services, and intranet services. In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods. The initial access vector(s) for these incidents is unknown.
Maui ransomware (maui.exe
) is an encryption binary. According to industry analysis of a sample of Maui (SHA256: 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e) provided in Stairwell Threat Report: Maui Ransomwareāthe ransomware appears to be designed for manual execution [TA0002] by a remote actor. The remote actor uses command-line interface [T1059.008] to interact with the malware and to identify files to encrypt.
Maui uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt [T1486] target files:
maui.key
) and private (maui.evd
) keys in the same directory as itself.maui.key
) using XOR encryption. The XOR key is generated from hard drive information (\\.\PhysicalDrive0
).During encryption, Maui creates a temporary file for each file it encrypts using GetTempFileNameW()
. Maui uses the temporary to stage output from encryption. After encrypting files, Maui creates maui.log
, which contains output from Maui execution. Actors likely exfiltrate [TA0010] maui.log
and decrypt the file using associated decryption tools.
See Stairwell Threat Report: Maui Ransomware for additional information on Maui ransomware, including YARA rules and a key extractor.
See table 1 for Maui ransomware IOCs obtained from FBI incident response activities since May 2021.
Table 1: Maui Ransomware IOCs
Indicator Type | Value |
---|---|
Filename | maui.exe |
maui.log | |
maui.key | |
maui.evd | |
aui.exe | |
MD5 Hash | 4118d9adce7350c3eedeb056a3335346 |
9b0e7c460a80f740d455a7521f0eada1 | |
fda3a19afa85912f6dc8452675245d6b | |
2d02f5499d35a8dffb4c8bc0b7fec5c2 | |
c50b839f2fc3ce5a385b9ae1c05def3a | |
a452a5f693036320b580d28ee55ae2a3 | |
a6e1efd70a077be032f052bb75544358 | |
802e7d6e80d7a60e17f9ffbd62fcbbeb | |
SHA256 Hash | 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e |
45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78 | |
56925a1f7d853d814f80e98a1c4890b0a6a84c83a8eded34c585c98b2df6ab19 | |
830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570 | |
458d258005f39d72ce47c111a7d17e8c52fe5fc7dd98575771640d9009385456 | |
99b0056b7cc2e305d4ccb0ac0a8a270d3fceb21ef6fc2eb13521a930cea8bd9f | |
3b9fe1713f638f85f20ea56fd09d20a96cd6d288732b04b073248b56cdaef878 | |
87bdb1de1dd6b0b75879d8b8aef80b562ec4fad365d7abbc629bcfc1d386afa6 |
Attribution to North Korean State-Sponsored Cyber Actors
The FBI assesses North Korean state-sponsored cyber actors have deployed Maui ransomware against Healthcare and Public Health Sector organizations. The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health. Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting HPH Sector organizations.
The FBI, CISA, and Treasury urge HPH Sector organizations to:
In addition, the FBI, CISA, and Treasury urge all organizations, including HPH Sector organizations, to apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.
3389
).If a ransomware incident occurs at your organization:
Note: the FBI, CISA, and Treasury strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.
The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files. As stated above, the FBI discourages paying ransoms. Payment does not guarantee files will be recovered and may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, the FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees, and customers. Regardless of whether you or your organization have decided to pay the ransom, the FBI, CISA, and Treasury urge you to promptly report ransomware incidents to the FBI at a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the USSS at a USSS Field Office. Doing so provides the U.S. Government with critical information needed to prevent future attacks by identifying and tracking ransomware actors and holding them accountable under U.S. law.
The FBI, CISA, and Treasury would like to thank Stairwell for their contributions to this CSA.
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at fbi.gov/contact-us/field, or the FBIās 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [email protected]. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [email protected].
July 6, 2022: Initial Version |July 7, 2022: Added STIX
www.fbi.gov/contact-us/field
www.rewardsforjustice.net/rewards/foreign-malicious-cyber-activity-against-u-s-critical-infrastructure/
www.secretservice.gov/contact/field-offices/
www.secretservice.gov/contact/field-offices/
attack.mitre.org/versions/v11/tactics/TA0002/
attack.mitre.org/versions/v11/techniques/T1059/008/
attack.mitre.org/versions/v11/techniques/T1486/
csrc.nist.gov/publications/detail/sp/800-63b/final
home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
stairwell.com/news/threat-research-report-maui-ransomware/
stairwell.com/news/threat-research-report-maui-ransomware/
twitter.com/CISAgov
twitter.com/intent/tweet?text=North%20Korean%20State-Sponsored%20Cyber%20Actors%20Use%20Maui%20Ransomware%20to%20Target%20the%20Healthcare%20and%20Public%20Health%20Sector%20+https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a
us-cert.cisa.gov/ncas/alerts/aa20-245a
us-cert.cisa.gov/ncas/tips/ST05-012
us-cert.cisa.gov/report
us-cert.cisa.gov/report
www.cisa.gov/healthcare-and-public-health-sector
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf
www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf
www.cisa.gov/stopransomware/
www.cisa.gov/tips/st04-002
www.cisa.gov/uscert/ncas/current-activity/2021/06/30/cisas-cset-tool-sets-sights-ransomware-threat
www.cisa.gov/uscert/northkorea
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a&title=North%20Korean%20State-Sponsored%20Cyber%20Actors%20Use%20Maui%20Ransomware%20to%20Target%20the%20Healthcare%20and%20Public%20Health%20Sector%20
www.fbi.gov/contact-us/field-offices
www.fbi.gov/contact-us/field-offices
www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule
www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a
www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=North%20Korean%20State-Sponsored%20Cyber%20Actors%20Use%20Maui%20Ransomware%20to%20Target%20the%20Healthcare%20and%20Public%20Health%20Sector%20&body=www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a