Science & Technology

Medical institutions targeting Maui ransomware

A lesser-known ransomware threat called Maui has been and may continue to attack. Medical institutionA new CISA alert warns you.

Maui is unusual in many ways: it doesn’t display ransom notes, it doesn’t rely on external infrastructure to receive encryption keys, and it doesn’t indiscriminately encrypt files or systems. Instead, the operator, believed to be a cyber-attacker sponsored by the North Korean state, manually manipulates it and chooses to encrypt it.

The Maui ransomware case has been addressed by the FBI since May 2021, and attackers have encrypted servers primarily responsible for medical services (electronic health records, diagnostics, imaging, intranets). “In some cases, these incidents disrupted the services provided by the targeted health and public health (HPH) sector organizations for a long period of time,” CISA explained.

Maui ransomware encryption

At the inner layer, files are encrypted using AES using a unique 16-byte key for each file, and the AES key is RSA encrypted using the key pair generated during the first run of Maui. SilasCutler, Principal Reverse Engineer at Stairwell, explanation..

“This key pair represents the second layer of encryption and will be unique to each system unless Maui runs under different conditions. In the final layer, the runtime RSA key is another hard-coded one. Encrypted using the RSA public key (stored at the end of the Maui executable). “

It is still unclear if this hard-coded public key is unique to the campaign, target network, or individual operator.

Unfortunately, the FBI was unable to find the initial access vector used in the corresponding incident, so the CISA advice It includes various mitigations that organizations can take to minimize the risk of being compromised through this and other ransomware.

Alerts also include useful indicators of infringement. Stairwell’s report has a YARA rule to compromise Maui’s ransomware and a Python script to extract the public RSA key stored in a copy of Maui.

Attribution of attack

According to Cutler, all copies of Maui they were able to obtain and analyze were constructed using an unidentified external builder, and the malware had instructions embedded in it. All of this indicates “operational separation between developers and users of the malware family.”

“Stairwell’s research team hasn’t identified a public offering on Maui and rates it as likely to have been privately developed,” he said.

U.S. officials pointed their fingers at North Korean country-sponsored actors as the perpetrators of the attack-although they did not explain why.

“North Korean country-sponsored cyber attackers are likely to assume that medical institutions are willing to pay the ransom because they provide services that are essential to human life and health.” Since there is no guarantee, I urged the target organization not to pay the ransom. Those files and records will be recovered. Violate US sanctions Against North Korea.

Medical institutions targeting Maui ransomware Medical institutions targeting Maui ransomware

Back to top button