Maui Ransomware

Maui Ransomware

Introduction: Maui ransomware, discovered in early 2021, has been attributed to North Korean state-sponsored threat actors. The threat gained attention in July 2022 when CISA issued Alert AA22-187A highlighting activities related to Maui ransomware campaigns.

Targets: Maui ransomware primarily targets large enterprises and high-value entities, with a specific focus on the healthcare and education sectors. There are indications of some geo-specific targeting.

Propagation: Maui ransomware employs phishing emails as its primary method of targeting victims. Additionally, it leverages exposed and vulnerable applications and services, such as Remote Desktop Protocol (RDP) and third-party frameworks like Empire, Metasploit, and Cobalt Strike.

Technical Details:

  • Attribution to North Korean Threat Actors:
    • Maui ransomware is attributed to North Korean state-sponsored threat actors.
    • CISA issued an alert in July 2022, outlining activities related to Maui ransomware campaigns.
  • No Ransom Note and Manual Operation:
    • Unlike many other ransomware families, Maui infections do not drop a ransom note.
    • The malware seems to require direct and manual operation, with command-line parameters necessary to direct the ransomware payload towards specific files for encryption.
  • AES-128 Encryption:
    • Encryption is achieved using AES-128, with each encrypted file having its own AES key.
    • Headers are modified to prevent multiple encryption attempts on the same file.
    • RSA encryption is used to encrypt an encrypted copy of the file’s AES key, with XOR key encoding of the RSA key.
  • Visible and Noisy Execution:
    • Maui infections are visibly noisy during runtime, with one or more command windows being visible.
    • .tmp files are generated for each encrypted file.

Detection Strategies: EDR is equipped to detect and prevent malicious behaviors and artifacts associated with Maui ransomware.

For those without EDR , a multi-layered detection approach is recommended:

  1. Security Tools:
    • Employ anti-malware software or other security tools capable of detecting and blocking known ransomware variants.
  2. Network Traffic Monitoring:
    • Regularly monitor network traffic for indicators of compromise, such as unusual patterns or communication with known command-and-control servers.
  3. Security Audits:
    • Conduct periodic security audits to identify vulnerabilities and ensure security controls are functioning effectively.
  4. Education & Training:
    • Educate and train employees on cybersecurity best practices to recognize and report suspicious emails and threats.
  5. Backup & Recovery Planning:
    • Implement a robust backup and recovery plan to restore data in the event of an attack.

Mitigation Measures: For EDR customers, the EDR can prevent Maui ransomware infections and, in case of infection, detect and prevent malicious behaviors and artifacts. The unique rollback capability allows the removal of infections.

For those without EDR , along with detection strategies, consider the following mitigation steps:

  1. Employee Education:
    • Educate employees on ransomware risks and train them to identify and avoid phishing emails and malicious attachments.
  2. Strong Passwords:
    • Implement strong, unique passwords for all user accounts, regularly updating and rotating them.
  3. Multi-Factor Authentication (MFA):
    • Enable MFA for user accounts to add an extra layer of security.
  4. System Updates and Patching:
    • Regularly update and patch systems to fix vulnerabilities and prevent exploitation.
  5. Backup and Disaster Recovery (BDR):
    • Establish and regularly test backup and disaster recovery processes to ensure quick data restoration.

Proactive security measures and employee awareness are crucial to mitigating the risk of Maui ransomware attacks.

Back

Copyright © 2024 RASOC all rights reserved