Joint Cybersecurity Advisory – North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector

The Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of the Treasury recently published a joint Cybersecurity Advisory (CSA) providing information on Maui ransomware, which has been utilized by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.

According to the advisory, “the Maui ransomware appears to be designed such that a remote actor manually uses command-line interface to interact with the malware and to identify files to encrypt. Maui uses a combination of legitimate encryption algorithms, including Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt target files. After encrypting files, Maui creates a file with output from its execution; actors likely exfiltrate the file and decrypts it using associated decryption tools.” The advisory also includes further technical details regarding this activity, including indicators of compromise and tactics, techniques, and procedures (TTPs), and lists recommended mitigations.

To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at Cy*****@*bi.gov. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CI*************@******hs.gov. Access the full advisory at CISA.