June 6, 2023

North Korean state sponsored threat actors  are seen using  a custom ransomware variant known as Maui targeting healthcare sector.

Maui is a relatively new ransomware strain, the samples of Maui seen in intrusions thus far have all been compiled in April 2021. Maui is not offered as a service for affiliates to use in their own intrusions. It was privately developed and is being deployed by North Korean state-backed actors.


Once executed manually in command line without any arguments, Maui prints usage information, detailing supported command-line parameters. The only required argument is a folder path, which Maui will parse and encrypt identified files.

Maui has some other unique aspects, such as its lack of a ransom note and no internal mechanism to send the encryption keys for each victim to the attackers.

Instead of relying upon external infrastructure to receive encryption keys, Maui creates three files in the same directory it was executed from containing the results of its execution. These files are likely exfiltrated by Maui operators and processed by private tooling to generate associated decryption tooling.

In an advisory, the FBI, the CISA, and Department of the Treasury attributed the use of Maui to North Korean state actors and said that it was unclear how the attackers are gaining initial access to the victim networks.

Healthcare providers should also turn off device management interfaces, secure personally identifiable information, protect stored data by masking the permanent account number and implement multilayer network segmentation, among other recommendations.


This research was conducted and documented by threat intelligence firm Stairwell

Indicators of Compromise

  • 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e
  • 45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78
  • 56925a1f7d853d814f80e98a1c4890b0a6a84c83a8eded34c585c98b2df6ab19
  • 830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570
  • 458d258005f39d72ce47c111a7d17e8c52fe5fc7dd98575771640d9009385456
  • 99b0056b7cc2e305d4ccb0ac0a8a270d3fceb21ef6fc2eb13521a930cea8bd9f
  • 3b9fe1713f638f85f20ea56fd09d20a96cd6d288732b04b073248b56cdaef878
  • 87bdb1de1dd6b0b75879d8b8aef80b562ec4fad365d7abbc629bcfc1d386afa6

1 thought on “Maui Ransomware – North Korea backed

Leave a Reply

%d bloggers like this: