Healthcare organizations targeted by Maui ransomware

A lesser-known ransomware threat called Maui is likely to continue to pose a threat to healthcare organizations, CISA (Cybersecurity & Infrastructure Security Agency) has warned. Maui uses a combination of Advanced Encryption Standard (AES), RSA and XOR encryption to encrypt target files.

Maui is unusual in many ways:

1. does not display the ransom message,

2. does not rely on external infrastructure to receive encryption keys;

3. does not encrypt files and/or systems randomly;

4. its operators – believed to be North Korean state-sponsored cyber actors – operate it manually and choose which things to encrypt.

In the Maui ransomware incidents the FBI has responded since May 2021, the attackers primarily encrypted servers responsible for healthcare services (electronic health records, diagnostics, imaging, and intranet).

North Korean state-sponsored cyber actors likely assume that healthcare organizations are willing to pay ransom because these organizations provide services that are critical to human life and health.

Learn more at Help Net Security.