Stairwell-Threat-Report-Maui-Ransomware.pdf (342 KB)

Stairwell's Maui ransomware report provides a reverse-engineering analysis of a lesser-known ransomware family first collected in April 2022. Maui appears manually operated: an attacker supplies a target path at execution time, and the malware encrypts selected files rather than automatically spreading or using embedded ransom-note infrastructure. The ransomware generates runtime RSA keys, encrypts per-file AES keys, stores execution artifacts in local files for likely operator exfiltration, and protects the runtime keys with a hard-coded RSA public key embedded in the executable. Stairwell notes that Maui does not resemble a public RaaS offering and that its usage context remained unclear, but the technical details are relevant to later DPRK-linked Maui investigations and defensive detection.