North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector

2022-07-06 • USCISA •

https://www.cisa.gov/uscert/ncas/alerts/aa22-187a

#Ransomware #Maui #T1486 #T1059.008

Thumbnail for North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector

The FBI, CISA, and Treasury reported that North Korean state-sponsored actors had used Maui ransomware since at least May 2021 against Healthcare and Public Health sector organizations. The intrusions encrypted servers supporting electronic health records, diagnostics, imaging, and intranet services, causing prolonged disruption in some cases while the initial access vectors remained unknown. The advisory describes Maui as a manually executed encryption binary operated through command-line activity, using AES, RSA, and XOR routines with local key and log artifacts that operators likely exfiltrate for decryption workflows. The notice also provides Maui hash indicators and warns healthcare and other critical-infrastructure defenders to mitigate ransomware risk and report incidents rather than paying ransoms.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	4118d9adce7350c3eedeb056a3335346	2022-07-06	2024-07-25
HASH	9b0e7c460a80f740d455a7521f0eada1	2022-07-06	2024-07-25
HASH	2d02f5499d35a8dffb4c8bc0b7fec5c2	2022-07-06	2024-07-25
HASH	45d8ac1ac692d6bb0fe776620371fca…	2022-07-06	2023-02-09
HASH	99b0056b7cc2e305d4ccb0ac0a8a270…	2022-07-06	2023-02-09
HASH	830207029d83fd46a4a89cd623103ba…	2022-07-06	2023-02-09
HASH	56925a1f7d853d814f80e98a1c4890b…	2022-07-06	2023-02-09
HASH	a6e1efd70a077be032f052bb75544358	2022-07-06	2023-02-09
HASH	458d258005f39d72ce47c111a7d17e8…	2022-07-06	2023-02-09
HASH	3b9fe1713f638f85f20ea56fd09d20a…	2022-07-06	2023-02-09
HASH	802e7d6e80d7a60e17f9ffbd62fcbbeb	2022-07-06	2023-02-09
HASH	a452a5f693036320b580d28ee55ae2a3	2022-07-06	2023-02-09
HASH	c50b839f2fc3ce5a385b9ae1c05def3a	2022-07-06	2023-02-09
HASH	fda3a19afa85912f6dc8452675245d6b	2022-07-06	2023-02-09
HASH	87bdb1de1dd6b0b75879d8b8aef80b5…	2022-07-06	2023-02-09
HASH	5b7ecf7e9d0715f1122baf4ce745c5f…	2022-07-06	2023-02-09

Related Reports

2023-02-09 • 80% Match

Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities

USCISA

#Ransomware #Maui #H0lyGh0st #T1083 #T1583.003 #T1195 #T1486 #T1133 #T1190 #T1583 #T1021

Shares tags: Ransomware, Maui, T1486 • Shares 16 IOCs • Same author: USCISA

2022-07-06 • 42% Match

Maui ransomware

Stairwell

#Ransomware #Maui

Shares tags: Ransomware, Maui • Shares 1 IOC • Published within a week

2022-07-27 • 40% Match

Healthcare Ransomware Threats - MedusaLocker & Maui

Avertium

#Ransomware #Maui

Shares tags: Ransomware, Maui • Published within a month

2022-08-24 • 30% Match

귀신(Gwisin) 랜섬웨어 공격 전략 분석 리포트

SKShildus

#Ransomware #Gwisin #T1059.003 #T1140 #T1587.001 #T1041 #T1608.001 #T1083 #T1589.001 #T1490 #T1486 #T1590 #T1003.001 #T1021.001 #T1047 #T1036.003 #T1021.002 #T1021.006 #T1110 #T1021.004 #T1595.002 #T1070.001 #T1218.007 #T0807

Shares tags: Ransomware, T1486

2022-08-05 • 30% Match