{
	"id": "6bdce8bf-a5f1-420b-85e2-ff0e259481de",
	"created_at": "2026-04-06T00:14:57.388228Z",
	"updated_at": "2026-04-10T03:22:13.109975Z",
	"deleted_at": null,
	"sha1_hash": "f7a5d08eeadd790d1dcce9fe06d9bbc75ae5230a",
	"title": "North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 106245,
	"plain_text": "North Korean State-Sponsored Cyber Actors Use Maui\r\nRansomware to Target the Healthcare and Public Health Sector |\r\nCISA\r\nPublished: 2022-07-07 · Archived: 2026-04-05 21:12:08 UTC\r\nSummary\r\nThe Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the\r\nDepartment of the Treasury (Treasury) are releasing this joint Cybersecurity Advisory (CSA) to provide\r\ninformation on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at\r\nleast May 2021 to target Healthcare and Public Health (HPH) Sector organizations.\r\nThis joint CSA provides information—including tactics, techniques, and procedures (TTPs) and indicators of\r\ncompromise (IOCs)—on Maui ransomware obtained from FBI incident response activities and industry analysis\r\nof a Maui sample. The FBI, CISA, and Treasury urge HPH Sector organizations as well as other critical\r\ninfrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the\r\nlikelihood of compromise from ransomware operations. Victims of Maui ransomware should report the incident to\r\ntheir local FBI field office or CISA. \r\nThe FBI, CISA, and Treasury highly discourage paying ransoms as doing so does not guarantee files and records\r\nwill be recovered and may pose sanctions risks. Note: in September 2021, Treasury issued an updated advisory\r\nhighlighting the sanctions risks associated with ransomware payments and the proactive steps companies can take\r\nto mitigate such risks. Specifically, the updated advisory encourages U.S. entities to adopt and improve\r\ncybersecurity practices and report ransomware attacks to, and fully cooperate with, law enforcement. The updated\r\nadvisory states that when affected parties take these proactive steps, Treasury’s Office of Foreign Assets Control\r\n(OFAC) would be more likely to resolve apparent sanctions violations involving ransomware attacks with a non-public enforcement response.\r\nFor more information on state-sponsored North Korean malicious cyber activity, see CISA’s North Korea Cyber\r\nThreat Overview and Advisories webpage. \r\nDownload the PDF version of this report: pdf, 553 kb.\r\nClick here for STIX.\r\nTechnical Details\r\nSince May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector\r\norganizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt\r\nservers responsible for healthcare services—including electronic health records services, diagnostics services,\r\nimaging services, and intranet services. In some cases, these incidents disrupted the services provided by the\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a\r\nPage 1 of 7\n\ntargeted HPH Sector organizations for prolonged periods. The initial access vector(s) for these incidents is\r\nunknown.\r\nMaui Ransomware\r\nMaui ransomware ( maui.exe ) is an encryption binary. According to industry analysis of a sample of Maui\r\n(SHA256: 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e) provided in Stairwell\r\nThreat Report: Maui Ransomware —the ransomware appears to be designed for manual execution [TA0002 ]\r\nby a remote actor. The remote actor uses command-line interface [T1059.008 ] to interact with the malware and\r\nto identify files to encrypt. \r\nMaui uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt [T1486\r\n] target files:\r\n1. Maui encrypts target files with AES 128-bit encryption. Each encrypted file has a unique AES key, and\r\neach file contains a custom header with the file’s original path, allowing Maui to identify previously\r\nencrypted files. The header also contains encrypted copies of the AES key.\r\n2. Maui encrypts each AES key with RSA encryption.\r\nMaui loads the RSA public ( maui.key ) and private ( maui.evd ) keys in the same directory as\r\nitself.\r\n3. Maui encodes the RSA public key ( maui.key ) using XOR encryption. The XOR key is generated from\r\nhard drive information ( \\\\.\\PhysicalDrive0 ).\r\nDuring encryption, Maui creates a temporary file for each file it encrypts using GetTempFileNameW() . Maui uses\r\nthe temporary to stage output from encryption. After encrypting files, Maui creates maui.log , which contains\r\noutput from Maui execution. Actors likely exfiltrate [TA0010] maui.log and decrypt the file using associated\r\ndecryption tools.\r\nSee Stairwell Threat Report: Maui Ransomware for additional information on Maui ransomware, including\r\nYARA rules and a key extractor.\r\nIndicators of Compromise\r\nSee table 1 for Maui ransomware IOCs obtained from FBI incident response activities since May 2021. \r\n \r\nTable 1: Maui Ransomware IOCs\r\nIndicator Type Value\r\nFilename maui.exe\r\nmaui.log\r\nmaui.key\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a\r\nPage 2 of 7\n\nIndicator Type Value\r\nmaui.evd\r\naui.exe\r\nMD5 Hash\r\n4118d9adce7350c3eedeb056a3335346\r\n9b0e7c460a80f740d455a7521f0eada1\r\nfda3a19afa85912f6dc8452675245d6b\r\n2d02f5499d35a8dffb4c8bc0b7fec5c2\r\nc50b839f2fc3ce5a385b9ae1c05def3a\r\na452a5f693036320b580d28ee55ae2a3\r\na6e1efd70a077be032f052bb75544358\r\n802e7d6e80d7a60e17f9ffbd62fcbbeb\r\nSHA256 Hash\r\n5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e\r\n45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78\r\n56925a1f7d853d814f80e98a1c4890b0a6a84c83a8eded34c585c98b2df6ab19\r\n830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570\r\n458d258005f39d72ce47c111a7d17e8c52fe5fc7dd98575771640d9009385456\r\n99b0056b7cc2e305d4ccb0ac0a8a270d3fceb21ef6fc2eb13521a930cea8bd9f\r\n3b9fe1713f638f85f20ea56fd09d20a96cd6d288732b04b073248b56cdaef878\r\n87bdb1de1dd6b0b75879d8b8aef80b562ec4fad365d7abbc629bcfc1d386afa6\r\nAttribution to North Korean State-Sponsored Cyber Actors\r\nThe FBI assesses North Korean state-sponsored cyber actors have deployed Maui ransomware against Healthcare\r\nand Public Health Sector organizations. The North Korean state-sponsored cyber actors likely assume healthcare\r\norganizations are willing to pay ransoms because these organizations provide services that are critical to human\r\nlife and health. Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored\r\nactors are likely to continue targeting HPH Sector organizations. \r\nMitigations\r\nThe FBI, CISA, and Treasury urge HPH Sector organizations to:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a\r\nPage 3 of 7\n\nLimit access to data by deploying public key infrastructure and digital certificates to authenticate\r\nconnections with the network, Internet of Things (IoT) medical devices, and the electronic health record\r\nsystem, as well as to ensure data packages are not manipulated while in transit from man-in-the-middle\r\nattacks.\r\nUse standard user accounts on internal systems instead of administrative accounts, which allow for\r\noverarching administrative system privileges and do not ensure least privilege. \r\nTurn off network device management interfaces such as Telnet, SSH, Winbox, and HTTP for wide area\r\nnetworks (WANs) and secure with strong passwords and encryption when enabled.\r\nSecure personal identifiable information (PII)/patient health information (PHI) at collection points and\r\nencrypt the data at rest and in transit by using technologies such as Transport Layer Security (TPS). Only\r\nstore personal patient data on internal systems that are protected by firewalls, and ensure extensive backups\r\nare available if data is ever compromised.\r\nProtect stored data by masking the permanent account number (PAN) when it is displayed and rendering it\r\nunreadable when it is stored—through cryptography, for example.\r\nSecure the collection, storage, and processing practices for PII and PHI, per regulations such as the Health\r\nInsurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures\r\ncan prevent the introduction of malware on the system.\r\nImplement and enforce multi-layer network segmentation with the most critical communications and data\r\nresting on the most secure and reliable layer.\r\nUse monitoring tools to observe whether IoT devices are behaving erratically due to a compromise.\r\nCreate and regularly review internal policies that regulate the collection, storage, access, and monitoring of\r\nPII/PHI.\r\nIn addition, the FBI, CISA, and Treasury urge all organizations, including HPH Sector organizations, to apply the\r\nfollowing recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.\r\nPreparing for Ransomware\r\nMaintain offline (i.e., physically disconnected) backups of data, and regularly test backup and\r\nrestoration. These practices safeguard an organization’s continuity of operations or at least minimize\r\npotential downtime from a ransomware incident and protect against data losses.\r\nEnsure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the\r\nentire organization’s data infrastructure.\r\nCreate, maintain, and exercise a basic cyber incident response plan and associated communications\r\nplan that includes response procedures for a ransomware incident.\r\nOrganizations should also ensure their incident response and communications plans include\r\nresponse and notification procedures for data breach incidents. Ensure the notification procedures\r\nadhere to applicable state laws.\r\nRefer to the National Conference of State Legislatures: Security Breach Notification Laws\r\nfor information on each state’s data breach laws.\r\nFor breaches involving electronic health information, you may need to notify the Federal\r\nTrade Commission (FTC) or the Department of Health and Human Services, and, in some\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a\r\nPage 4 of 7\n\ncases, the media. Refer to the FTC’s Health Breach Notification Rule and U.S. Department\r\nof Health and Human Services’ Breach Notification Rule for more information.\r\nSee CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware\r\nGuide and CISA Fact Sheet Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches for information on creating a ransomware response checklist and planning\r\nand responding to ransomware-caused data breaches.\r\nMitigating and Preventing Ransomware\r\nInstall updates for operating systems, software, and firmware as soon as they are released. Timely\r\npatching is one of the most efficient and cost-effective steps an organization can take to minimize its\r\nexposure to cybersecurity threats. Regularly check for software updates and end-of-life notifications and\r\nprioritize patching known exploited vulnerabilities. Consider leveraging a centralized patch management\r\nsystem to automate and expedite the process.\r\nIf you use Remote Desktop Protocol (RDP), or other potentially risky services, secure and monitor\r\nthem closely.\r\nLimit access to resources over internal networks, especially by restricting RDP and using virtual\r\ndesktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the\r\noriginating sources, and require multifactor authentication (MFA) to mitigate credential theft and\r\nreuse. If RDP must be available externally, use a virtual private network (VPN), virtual desktop\r\ninfrastructure, or other means to authenticate and secure the connection before allowing RDP to\r\nconnect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a\r\nspecified number of attempts to block brute force campaigns, log RDP login attempts, and disable\r\nunused remote access/RDP ports.\r\nEnsure devices are properly configured and that security features are enabled. Disable ports and\r\nprotocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol\r\nPort 3389 ).\r\nRestrict Server Message Block (SMB) Protocol within the network to only access servers that are\r\nnecessary and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use\r\nSMB to propagate malware across organizations.\r\nReview the security posture of third-party vendors and those interconnected with your organization.\r\nEnsure all connections between third-party vendors and outside software or hardware are monitored\r\nand reviewed for suspicious activity.\r\nImplement listing policies for applications and remote access that only allow systems to execute\r\nknown and permitted programs under an established.\r\nOpen document readers in protected viewing modes to help prevent active content from running.\r\nImplement user training program and phishing exercises to raise awareness among users about the\r\nrisks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments.\r\nReinforce the appropriate user response to phishing and spearphishing emails.\r\nRequire MFA for as many services as possible—particularly for webmail, VPNs, accounts that access\r\ncritical systems, and privileged accounts that manage backups.\r\nUse strong passwords and avoid reusing passwords for multiple accounts. See CISA Tip Choosing and\r\nProtecting Passwords and National Institute of Standards and Technology (NIST) Special Publication 800-\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a\r\nPage 5 of 7\n\n63B: Digital Identity Guidelines for more information.\r\nRequire administrator credentials to install software.\r\nAudit user accounts with administrative or elevated privileges and configure access controls with least\r\nprivilege in mind.\r\nInstall and regularly update antivirus and antimalware software on all hosts.\r\nOnly use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.\r\nConsider adding an email banner to messages coming from outside your organizations.\r\nDisable hyperlinks in received emails.\r\nResponding to Ransomware Incidents\r\nIf a ransomware incident occurs at your organization:\r\nFollow your organization’s Ransomware Response Checklist (see Preparing for Ransomware section).\r\nScan backups. If possible, scan backup data with an antivirus program to check that it is free of malware.\r\nThis should be performed using an isolated, trusted system to avoid exposing backups to potential\r\ncompromise.\r\nFollow the notification requirements as outlined in your cyber incident response plan.\r\nReport incidents to the FBI at a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the U.S. Secret\r\nService (USSS) at a USSS Field Office.\r\nApply incident response best practices found in the joint Cybersecurity Advisory, Technical Approaches to\r\nUncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of\r\nAustralia, Canada, New Zealand, and the United Kingdom.\r\nNote: the FBI, CISA, and Treasury strongly discourage paying ransoms as doing so does not guarantee files and\r\nrecords will be recovered and may pose sanctions risks. \r\nRequest for Information\r\nThe FBI is seeking any information that can be shared, to include boundary logs showing communication to and\r\nfrom foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files.\r\nAs stated above, the FBI discourages paying ransoms. Payment does not guarantee files will be recovered and\r\nmay embolden adversaries to target additional organizations, encourage other criminal actors to engage in the\r\ndistribution of ransomware, and/or fund illicit activities. However, the FBI understands that when victims are\r\nfaced with an inability to function, all options are evaluated to protect shareholders, employees, and customers.\r\nRegardless of whether you or your organization have decided to pay the ransom, the FBI, CISA, and Treasury\r\nurge you to promptly report ransomware incidents to the FBI at a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the USSS at a USSS Field Office. Doing so provides the U.S. Government with critical\r\ninformation needed to prevent future attacks by identifying and tracking ransomware actors and holding them\r\naccountable under U.S. law.\r\nResources \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a\r\nPage 6 of 7\n\nFor more information and resources on protecting against and responding to ransomware, refer to\r\nStopRansomware.gov, a centralized, U.S. whole-of-government webpage providing ransomware resources\r\nand alerts.\r\nCISA’s Ransomware Readiness Assessment is a no-cost self-assessment based on a tiered set of practices\r\nto help organizations better assess how well they are equipped to defend and recover from a ransomware\r\nincident.\r\nA guide that helps organizations mitigate a ransomware attack and provides a Ransomware Response\r\nChecklists: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware\r\nGuide.\r\nThe U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for\r\nreports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website\r\nfor more information and how to report information securely. \r\nAcknowledgements\r\nThe FBI, CISA, and Treasury would like to thank Stairwell for their contributions to this CSA. \r\nContact Information\r\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact\r\nyour local FBI field office at fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937\r\nor by e-mail at CyWatch@fbi.gov . When available, please include the following information regarding the\r\nincident: date, time, and location of the incident; type of activity; number of people affected; type of equipment\r\nused for the activity; the name of the submitting company or organization; and a designated point of contact. To\r\nrequest incident response resources or technical assistance related to these threats, contact CISA at\r\nSayCISA@cisa.dhs.gov . \r\nRevisions\r\nJuly 6, 2022: Initial Version |July 7, 2022: Added STIX\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a"
	],
	"report_names": [
		"aa22-187a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434497,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7a5d08eeadd790d1dcce9fe06d9bbc75ae5230a.pdf",
		"text": "https://archive.orkl.eu/f7a5d08eeadd790d1dcce9fe06d9bbc75ae5230a.txt",
		"img": "https://archive.orkl.eu/f7a5d08eeadd790d1dcce9fe06d9bbc75ae5230a.jpg"
	}
}