The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) this week issued a new alert about Maui ransomware — a Windows executable “maui.exe” — that early analysis suggests is designed for attackers to manually select files for encryption.
The FBI has attributed Maui attacks to North Korean state-sponsored cyber attackers and has responded to incidents at US healthcare organizations since May 2021.
The agencies believe Maui attacks on health will continue because the attackers assume these organizations will pay.
“The FBI assesses North Korean state-sponsored cyber actors have deployed Maui ransomware against Healthcare and Public Health Sector (HPH) organizations. The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” the alert states.
“Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting HPH Sector organizations.”
The agencies’ alert references a report by security company Stairwell principal reverse engineer, Silas Cutler. Stairwell doesn’t attribute Maui to any actor in its report.
But Cutler says Maui stands apart from better known ransomware-as-a-service gangs like Conti, LockBit, and BlackCat because Maui lacks an embedded ransom note with recovery instructions, and it appears to be manually operated by attackers via the command line. Stairwell notes Maui uses a similar strategy for encrypting files that Conti used in 2021.
The FBI says that since May 2021 it has responded to multiple Maui ransomware incidents at healthcare organizations where a variety of IT healthcare services were targeted for encryption.
“North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services — including electronic health records services, diagnostics services, imaging services, and intranet services,” the agencies say in the alert.
“In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods. The initial access vector(s) for these incidents is unknown.”
Given that the agencies don’t know how the attackers initially gained access to victim networks, they’re warning organizations to beware of the usual attack vectors, including phishing emails and attacks on Remote Desktop Protocol (RDP) services and virtual desktop infrastructure.
It also urges healthcare organizations to deploy public key cryptography and digital certificates to authenticate connections with the network, Internet of Things medical devices, and electronic health record systems.
Maui’s design for selectively targeting files and certain sectors is hugely different to WannaCry, the only other ransomware attributed to North Korea state-sponsored actors in CISA’s North Korea cyber-threat overview.
Most of the recent alerts about cyber threats from North Korea have concerned major hacks on cryptocurrency exchanges by the Lazarus group and its sub-groups.
The alert notably highlights a ransomware advisory from Treasury that was updated in September 2021, which warns of sanctions and risks to organizations that make ransomware payments to groups designated by the Treasury’s Office of Foreign Assets Control (OFAC).
OFAC designated the Lazarus Group and two sub-groups in September 2019.
Violations of sanctions could be treated more discretely if incidents and ransom payments are reported by victims to law enforcement.
“The updated advisory states that when affected parties take these proactive steps, Treasury’s Office of Foreign Assets Control (OFAC) would be more likely to resolve apparent sanctions violations involving ransomware attacks with a non-public enforcement response,” the alert notes.
The US is strengthening rules for federal agencies to report cybersecurity incidents and ransomware payments through the Strengthening American Cybersecurity Act, passed by Senate in March.