Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

US: North Korean Hackers Targeting Healthcare Sector With Maui Ransomware

US government agencies this week issued a joint advisory to warn of North Korean threat actors using the Maui ransomware in attacks targeting the healthcare and public health sector.

US government agencies this week issued a joint advisory to warn of North Korean threat actors using the Maui ransomware in attacks targeting the healthcare and public health sector.

Since May 2021, North Korean government-backed threat actors have been using Maui ransomware to disrupt healthcare services such as diagnostics, electronic health records, imaging, and intranet services, reads the joint advisory from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury.

Maui ransomware utilizes a combination of AES, RSA, and XOR for the encryption process: files are encrypted with AES using a unique key that is then encrypted using a RSA key-pair generated when Maui first runs, and the RSA public key is then encrypted using a hard-coded RSA public key.

“During encryption, Maui creates a temporary file for each file it encrypts using GetTempFileNameW(). Maui uses the temporary to stage output from encryption. After encrypting files, Maui creates maui.log, which contains output from Maui execution. Actors likely exfiltrate maui.log and decrypt the file using associated decryption tools,” the advisory reads.

According to security researchers at threat hunting firm Stairwell, Maui is likely operated manually, as it lacks some of the key features typically used by ransomware-as-a-service (RaaS) families. This allows the attackers to select which files to encrypt, as well as to exfiltrate the resulting runtime artifacts.

The agencies say the attacks coming from theNorth Korean state-sponsored threat actors behind the Maui ransomware attacks are likely to continue.

“The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health. Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting HPH Sector organizations,” the joint advisory reads.

The three US agencies urge organizations in the healthcare sector to mitigate the threat posed by Maui and other ransomware families out there by applying the principle of least privilege, disabling unused network protocols, securing and encrypting personal and health information, implementing multi-layer network segmentation, and continuously monitoring their environments for anomalous behavior.

They should also maintain offline, encrypted backups of all data, should create and maintain a basic cyber incident response plan, keep all of their applications and systems updated at all times, implement multi-factor authentication, require administrative privileges for installing software, and install and maintain an antimalware solution.

Just last week, the North Korea-linked Lazarus hacking group was suspected to be behind a $100 million crypto hack of Harmony’s Horizon Bridge, based on data and research from blockchain analytics firm Elliptic.

Related: Beating Ransomware With Advanced Backup and Data Defense Technologies

Related: The Psychology of Ransomware Response

Related: Hackers Continue Aiding North Korea Generate Funds via Crypto Attacks

Related: US Details Chinese Attacks Against Telecoms Providers

Related: US Agencies Warn Organizations of Log4Shell Attacks Against VMware Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.