The FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and the Treasury Department on Wednesday warned about North Korean state-sponsored threat actors targeting organizations in the US healthcare and public-health sectors. The attacks are being carried out with a somewhat unusual, manually operated new ransomware tool called "Maui."
Since May 2021, there have been multiple incidents where threat actors operating the malware have encrypted servers responsible for critical healthcare services, including diagnostic services, electronic health records servers, and imaging servers at organizations in the targeted sectors. In some instances, the Maui attacks disrupted services at the victim organizations for a prolonged period, the three agencies said in an advisory.
"The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” according to the advisory. “Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting [healthcare and public health] Sector organizations."
Designed for Manual Operation
In a technical analysis on July 6, security firm Stairwell described Maui as ransomware that is notable for lacking features that are commonly present in other ransomware tools. Maui, for instance, does not have the usual embedded ransomware note with information for victims on how to recover their data. It also does not appear to have any built-in functionality for transmitting encryption keys to the hackers in automated fashion.
The malware instead appears designed for manual execution, where a remote attacker interacts with Maui via the command line interface and instructs it to encrypt selected files on the infected machine and exfiltrate the keys back to the attacker.
Stairwell said its researchers observed Maui encrypting files using a combination of the AES, RSA, and XOR encryption schemes. Each selected file is first encrypted using AES with a unique 16-byte key. Maui then encrypts each resulting AES key with RSA encryption, and then encrypts the RSA public key with XOR. The RSA private key is encoded using a public key embedded in the malware itself.
Silas Cutler, principal reverse engineer at Stairwell, says the design of Maui's file-encryption workflow is fairly consistent with other modern ransomware families. What's really different is the absence of a ransom note.
"The lack of an embedded ransom note with recovery instructions is a key missing attribute that sets it apart from other ransomware families," Cutler says. "Ransom notes have become calling cards for some of the large ransomware groups [and are] sometimes emblazoned with their own branding." He says Stairwell is still investigating how the threat actor is communicating with victims and exactly what demands are being made.
Security researchers say there are several reasons why the threat actor might have decided to go the manual route with Maui. Tim McGuffin, director of adversarial engineering at Lares Consulting, says manually operated malware has a better chance of evading modern endpoint protection tools and canary files compared with automated, systemwide ransomware.
"By targeting specific files, the attackers get to choose what is sensitive and what to exfiltrate in a much more tactical fashion when compared to a 'spray-and-pray' ransomware," McGuffin says. "This 100% provides a stealth and surgical approach to ransomware, preventing defenders from alerting on automated ransomware, and making it more difficult to use timing or behavior-based approaches to detection or response.”
From a technical standpoint, Maui doesn't utilize any sophisticated means to evade detection, Cutler says. What could make it additionally problematic for detection is its low profile.
"The lack of the common ransomware theatrics — [such as] ransom notes [and] changing user backgrounds — may result in users not being immediately aware that their files have been encrypted," he says.
Is Maui a Red Herring?
Aaron Turner, CTO at Vectra, says the threat actor's use of Maui in a manual and selective manner could be an indication that there are other motives behind the campaign than just financial gain. If North Korea really is sponsoring these attacks, it is conceivable that ransomware is only an afterthought and that the real motives lie elsewhere.
Specifically, it's most likely a combination of intellectual property theft or industrial espionage combined with opportunistic monetization of attacks with ransomware.
"In my opinion, this use of operator-driven selective encryption is most likely an indicator that the Maui campaign is not just a ransomware activity," Turner says.
The operators of Maui certainly would not be the first by far to use ransomware as cover for IP theft and other activities. The most recent example of another attacker doing the same is China-based Bronze Starlight, which according to Secureworks appears to be using ransomware as cover for extensive government-sponsored IP theft and cyber espionage.
Researchers say that in order to protect themselves, healthcare organizations should invest in a solid backup strategy. The strategy must include frequent, at least monthly, recovery testing to ensure the backups are viable, according to Avishai Avivi, CISO at SafeBreach
"Healthcare organizations should also take all precautions to segment their networks and isolate environments to prevent the lateral spread of ransomware," Avivi notes in an email. "These basic cyber-hygiene steps are a much better route for organizations preparing for a ransomware attack [than stockpiling Bitcoins to pay a ransom]. We still see organizations fail to take the basic steps mentioned. … This, unfortunately, means that when (not if) ransomware makes it past their security controls, they will not have a proper backup, and the malicious software will be able to spread laterally through the organization's networks."
Stairwell also has released YARA rules and tools that others can use to develop detections for the Maui ransomware.