Maui Ransomware Detection: Novel Threat Targeting U.S. Healthcare and Public Health Sector
- Forest Blizzard aka Fancy Bear Attack Detection: russian-backed Hackers Apply a Custom GooseEgg Tool to Exploit CVE-2022-38028 in Attacks Against Ukraine, Western Europe, and North America - 24.04.2024
- UAC-0133 (Sandworm) Attack Detection: russia-Linked Hackers Aim to Cripple the Information and Communication Systems of 20 Critical Infrastructure Organizations Across Ukraine - 23.04.2024
- Akira Ransomware Detection: Joint Cybersecurity Advisory (CSA) AA24-109A Highlights Attacks Targeting Businesses and Critical Infrastructure in North America, Europe, and Australia - 19.04.2024
Table of contents:
Brace yourself for the new ransomware threat! On July 6, 2022, the FBI, CISA, and the Department of Treasury issued a joint Cybersecurity Advisory (CSA) to warn about Maui ransomware actively leveraged by the North Korean APT group to target organizations in the U.S. healthcare and public health sectors. The attacks have been observed since at least May 2021 posing an increasing menace to organizations due to the unusual routine. Particularly, Maui seems to be manually operated to choose files for encryption and lacks an embedded ransom note to provide recovery instructions.
Detect Maui Ransomware
Cybersecurity practitioners are continuously looking for ways to proactively defend against emerging threats and keep up with the ever-changing cyber threat landscape. To help organizations timely spot the malicious activity of the North Korean state-backed APT group leveraging Maui ransomware, SOC Prime’s Detection as Code platform curates a new Sigma rule crafted by our prolific Threat Bounty Program developer Nattatorn Chuensangarun. Follow the link below to instantly access the dedicated Compliance-based Sigma rule after signing up or logging into SOC Prime’s platform:
Progressive Threat Hunters and Detection Engineers eager to tap into the power of SOC Prime’s crowdsourced initiative are welcome to join Threat Bounty Program and contribute their own detection content while enriching collective cybersecurity expertise and monetizing their input.
The above-mentioned Sigma rule for Maui ransomware detection can be applied across 18 industry-leading SIEM, EDR, and XDR solutions, in both on-prem and cloud-native environments. The detection is aligned with the MITRE ATT&CK® framework addressing the Execution and Impact tactics with the Command and Scripting Interpreter (T1059) and Data Encrypted for Impact (T1486) techniques respectively.
According to SOC Prime’s research covered in our annual Detection as Code Innovation Report report, ransomware continued to be a rising trend throughout 2020-2021 with a growing sophistication of intrusions and an increasing number of malicious operators. SOC Prime’s platform produces a broad selection of detection algorithms to combat related threats. Registered SOC Prime users can get access to the comprehensive list of Sigma rules for ransomware detection by clicking the Detect & Hunt button. Alternatively, security practitioners can browse SOC Prime to instantly reach relevant Sigma rules accompanied by contextual metadata, including MITRE ATT&CK and CTI references, CVE descriptions, executable binaries linked to detections, and more by clicking the Explore Threat Context button.
Detect & Hunt Explore Threat Context
Maui Ransomware Description
According to the in-depth inquiry by Stairwell, Maui ransomware first emerged in April 2021 being attributed to the unnamed North Korea-backed APT actor. Starting from May 2021, the FBI is observing multiple attacks against U.S. healthcare and public health sectors leveraging Maui ransomware. The majority of the intrusions are aimed at servers responsible for healthcare services, including electronic healthcare records, diagnostics, imaging, and intranet.
Notably, Maui stands apart from the other ransomware-as-a-service (RaaS) rings due to its unusual operation routine. Ransomware operators tend to manually choose the files for encryption, making each intrusion unique and highly targeted. Additionally, Maui lacks any embedded ransom notes with recovery steps.
The attack kill chain starts with the execution of the encryption binary dubbed “maui.exe.” This string of malicious code locks files of the malware operator’s choice within the targeted infrastructure. Particularly, hackers leverage a command-line interface to identify which file to encrypt leveraging a mix of AES, RSA, and XOR encryption. Following the encryption, Maui ransomware creates a maui.log file containing the attack output which is further exfiltrated by adversaries and decrypted.
Join SOC Prime’s Detection as Code platform to effectively defend against existing and constantly emerging threats and significantly improve your organization’s cybersecurity posture. Are you a proactive cybersecurity practitioner striving for new horizons? Join the ranks of our Threat Bounty Program to write Sigma and YARA rules, share them with your industry peers, and gain recurring financial benefits for your contribution.
