The FBI, CISA, and US Treasury Department have released a joint advisory surrounding the North Korean state-sponsored attacks on health care organisations using Maui ransomware and urging healthcare organisations to implement cyber security controls to protect against these attacks.

Maui ransomware is manually deployed across compromised victims’ networks, with remote operators targeting specific files to encrypt. Maui also stands out compared to other ransomware strains by not dropping a ransom note on encrypted systems to provide victims with data recovery instructions.

Phoenix analysis

Maui uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt target files:

  1. Encrypts target files with AES 128-bit encryption. Each encrypted file has a unique AES key, and each file contains a custom header with the file’s original path, allowing Maui to identify previously en[1]crypted files. The header also contains encrypted copies of the AES key
  2. Encrypts each AES key with RSA encryption and loads the RSA public (maui.key) and private (maui.evd) keys in the same directory as itself
  3. Encodes the RSA public key (maui.key) using XOR encryption. The XOR key is generated from hard drive information (\\.\PhysicalDrive0)

During encryption, Maui creates a temporary file for each file it encrypts using GetTempFileNameW(). It then uses the temporary to stage output from encryption and after encrypting the files, creates maui.log, which contains output from Maui execution. Actors likely exfiltrate maui.log and decrypt the file using associated decryption tools

How to mitigate and prevent ransomware attacks

  • Install updates for operating systems, software, and firmware as soon as they are released. This is the most efficient and cost-effective step to minimise your exposure to cyber security threats
  • If you use Remote Desk Protocol (RDP) or other potentially risky services, secure and monitor them closely. Ensure devices are properly configured, restrict server message block protocol, review security posture of third-party vendors, implement listing policies for apps and remote access, and open document readers in protected viewing modes
  • Implement a user training programme and phishing exercises to raise awareness among users about the risks of suspicious websites, links, and attachments
  • Require Multifactor Authentication (MFA) for as many services as possible, especially for webmail, VPNs, critical system accounts, and privileged accounts that handle backups
  • Require admin credentials to install software
  • Audit user accounts with administrative or elevated privileges
  • Install and regularly update antivirus and antimalware software on all hosts
  • Only use secure networks and avoid using public wifi networks – preferably use a VPN
  • Consider adding an email banner to messages coming from outside your organisation
  • Disable hyperlinks in received emails

Responding to ransomware incidents

If you are one of our Sentinel Essentials customers, you will have custom threat detection rules implemented within your environment for active detection. In addition, our SOC analysts are proactively threat hunting for any Maui ransomware indicators of compromise (IOCs) on an ongoing basis.

This is an ongoing event and we are continuing to track the developments. If you have any questions or need assistance, please contact our IT service desk on 01904 562207 or email [email protected].