Feds wave red flag over Maui ransomware

A cybersecurity advisory about the ransomware known as Maui has been issued by the FBI, CISA and U.S. Treasury Department. The agencies assert that North Korean state-sponsored cyber actors have used the malware since at least May 2021 to target healthcare and public health sector organizations.

The FBI surmises that the threat actors are targeting healthcare organizations because those entities are critical to human life and health, so they’re more likely to pay ransoms rather than risk disruption to their services. For that reason, the FBI and other agencies issuing the advisory maintain the state-sponsored actors will continue to target healthcare organizations.

While the federal agencies were issuing their advisory, the threat hunting, detection, and response company Stairwell published an analysis of Maui in a blog post. “Maui stood out to us because of a lack of several key features we commonly see with tooling from RaaS providers, such as an embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers,” Stairwell Principal Reverse Engineer Silas Cutler wrote. “Instead, we believe that Maui is manually operated, in which operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artifacts.”

Maui ransomware can bypass modern endpoint protection

The approach being used by the Maui gang is fairly rare, notes Tim McGuffin, director of adversarial engineering at Lares Consulting, a security consulting firm. “It’s a good method to bypass modern endpoint protection and canary files that would alert and kill automated, system-wide ransomware,” he explains.

By targeting specific files, McGuffin continues, the attackers get to choose what is sensitive and what to exfiltrate in a much more tactical fashion when compared to “spray-and-pray” ransomware. “This can show ‘good faith’ from the ransomware group by allowing targeting and recovery of just sensitive files and not having to rebuild the entire server if the operating system files are encrypted as well,” he says.

While the approach can blind defenders looking for alerts generated by automated ransomware, McGuffin adds, the technique allows mature defense teams to respond before the entire environment is encrypted and allows for recovery from backups for specific folders instead of rebuilding the systems or environment from the ground up.

Ransomware requires manual research and analysis

Most advanced malware operators build some manual controls into their software, notes John Bambenek, a principal threat hunter at Netenrich, an IT and digital security operations company. “For organizational crippling ransomware attacks, threat actors need to manually identify the important assets and the weak points to truly take down a victim,” he says. “Automated [ransomware] tools simply cannot identify all the unique aspects of each organization to enable a complete takedown. Some manual research and analysis is involved.”

If North Korea is involved in the Maui campaign, then the ransomware attacks may be a secondary goal for the intruders, maintains Aaron Turner, CTO for SaaS Protect at Vectra, an AI cybersecurity company. “In my opinion, this use of operator-driven selective encryption is most likely an indicator that the Maui campaign is not just a ransomware activity,” he says, “but most likely a combination of intellectual property theft and industrial espionage, combined with opportunistic monetization activities through ransomware.”