When I think of Maui, I think of one of my favorite vacation spots in the whole world.  Unfortunately, if you’ve been following ransomware in the news, Maui now has a much more sinister meaning.  Let’s take a closer look at Maui ransomware, and what makes it so horrible.

What is Maui Ransomware?

Maui ransomware is a variant developed by threat actors allegedly sponsored by North Korea, according to CISA.  The scary part of this ransomware is not political or governmental ties, but the fact that it targets healthcare organizations.  Healthcare ransomware is nothing new, but causes many issues since it directly impacts human life.

Remember, at the end of the game, most ransomware operators have the same end goal in mind, no matter how they do things: they want to get paid the ransom.  By attacking critical infrastructure and systems, they make a bet that they will be paid out.

This is not the first ransomware group to target healthcare specifically.  Sophos released a great report on The State of Healthcare Ransomware in 2022.

According to Sophos, healthcare organizations are the most likely to pay the ransom, and 66% of organizations surveyed were attacked by ransomware in 2021.  The interesting part is that cyber security insurance is also slightly lower in this segment.

How does Maui Ransomware Work?

The most detailed account on Maui ransomware was released by Stairwell.  This is a great discussion on a still emerging threat.

All in all, Maui ransomware seems to take a very classic approach, first it encrypts target files using AES 128-bit encryption.  Then it encrypts the AES key using RSA and encodes the RSA public key.  When ransomware first started popping into the news, these are the things we got used to.

At this time, there’s no mention of any exfiltration when it comes to Maui ransomware, and no evidence of some of the centralized management functionality of many of the ransomware as as service type variants.

This is as classic as it gets, which means that if an organization can quickly recover, they will not need to pay the ransom.

Unfortunately this is not usually the case, with many organizations paying ransom because they cannot recover fast enough.  Proper ransomware recovery testing is key.

Ransomware on the Rise

There’s no storage of ransomware in the news lately, with new attacks and more details on past attack.  If anything we’re seeing more attacks instead of less.

This just proves that organizations need to be on top of their environments to detect threats early, and respond to them after they have been discovered.

This is especially true of healthcare organizations, which are known targets.  If you haven’t had the pleasure of working with IT in the healthcare segment, I can tell you budgets can be low, software can be old, and compliance requirements can be high.  It is important to remember that security and compliance are not the same thing. While some things that may be required for compliance can make environments more secure, that is not the primary driver.

Like any organization, is is especially important for healthcare organizations to have a solid recovery plan in place, which they cannot have until they have a full understanding of all of their assets and applications.  This is no easy task, especially in large healthcare systems.

Want to learn more about ransomware variants?  Take a look at some of our other features:

Stay tuned for more ransomware coverage!