IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

North Korea Attacks Health Sector With Maui Ransomware

On July 6, 2022, CISA issued a new national cyber awareness system alert (AA22-187A). Here’s what you need to know — and do next.

A computer icon of a file with chains and a skull and crossbones on it, with lines of code in the background.
U.S. federal agencies issued a joint advisory on July 6, warning that North Korean state-sponsored cyber actors are targeting the health sector using Maui ransomware. The operators of this ransomware have been allegedly using it to encrypt servers that hold sensitive health records, imaging services and more, before demanding a ransom to free the servers.

Here is the opening summary of the alert (AA22-187A), with details on the Cybersecurity and Infrastructure Security Agency (CISA) website:

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) are releasing this joint Cybersecurity Advisory (CSA) to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.

This joint CSA provides information — including tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) — on Maui ransomware obtained from FBI incident response activities and industry analysis of a Maui sample. The FBI, CISA, and Treasury urge HPH Sector organizations as well as other critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the likelihood of compromise from ransomware operations. Victims of Maui ransomware should report the incident to their local FBI field office or CISA. 

The FBI, CISA, and Treasury highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks. Note: in September 2021, Treasury issued an updated advisory highlighting the sanctions risks associated with ransomware payments and the proactive steps companies can take to mitigate such risks. Specifically, the updated advisory encourages U.S. entities to adopt and improve cybersecurity practices and report ransomware attacks to, and fully cooperate with, law enforcement. The updated advisory states that when affected parties take these proactive steps, Treasury’s Office of Foreign Assets Control (OFAC) would be more likely to resolve apparent sanctions violations involving ransomware attacks with a non-public enforcement response.

For more information on state-sponsored North Korean malicious cyber activity, see CISA’s North Korea Cyber Threat Overview and Advisories webpage. Download the PDF version of this report: pdf, 553 kb.


The coverage of this situation was swift and global. Here are a few examples:

The Register — “Here today, gone to Maui: That’s your data captured by North Korean ransomware”: “For the past year, state-sponsored hackers operating on behalf of North Korea have been using ransomware called Maui to attack healthcare organizations, US cybersecurity authorities said on Wednesday.

“Uncle Sam’s Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Treasury Department issued a joint advisory outlining a Pyongyang-orchestrated ransomware campaign that has been underway at least since May, 2021.

“The initial access vector — the way these threat actors break into organizations — is not known. Even so, the FBI says it has worked with multiple organizations in the healthcare and public health (HPH) sector infected by Maui ransomware.”

BleepingComputer US govt warns of Maui ransomware attacks against healthcare orgs”: “According to a threat report authored by Stairwell principal reverse engineer Silas Cutler, Maui ransomware is manually deployed across compromised victims’ networks, with the remote operators targeting specific files they want to encrypt.

“While Stairwell collected the first Maui sample in early April 2022, all Maui ransomware samples share the same compilation timestamp of April 15, 2021.

“Maui also stands out compared to other ransomware strains by not dropping a ransom note on encrypted systems to provide victims with data recovery instructions.”

Dark ReadingNorth Korean State Actors Deploy Surgical Ransomware in Ongoing Cyberattacks on US Healthcare Orgs”: “Silas Cutler, principal reverse engineer at Stairwell, says the design of Maui’s file-encryption workflow is fairly consistent with other modern ransomware families. What’s really different is the absence of a ransom note.

“‘The lack of an embedded ransom note with recovery instructions is a key missing attribute that sets it apart from other ransomware families,’ Cutler says. ‘Ransom notes have become calling cards for some of the large ransomware groups [and are] sometimes emblazoned with their own branding.’ He says Stairwell is still investigating how the threat actor is communicating with victims and exactly what demands are being made.

“Security researchers say there are several reasons why the threat actor might have decided to go the manual route with Maui. Tim McGuffin, director of adversarial engineering at Lares Consulting, says manually operated malware has a better chance of evading modern endpoint protection tools and canary files compared with automated, systemwide ransomware. …”


Avishai “Avi” Avivi, CISO at SafeBreach, said this in response to the new CISA alert: “We certainly agree with the agencies’ recommendations to avoid paying the ransom. There is a real risk that the malicious actors will not provide the decryption key, and if they exfiltrated any of the data, there is no guarantee that they won’t share it with the dark web. Rather than investing in a pool of Bitcoins in advance of a ransomware attack, organizations should invest in a solid backup strategy. The strategy must include frequent, at least monthly, recovery testing to ensure the backups are viable.

“Healthcare organizations should also take all precautions to segment their networks and isolate environments to prevent the lateral spread of ransomware. These basic cyber-hygiene steps are a much better route for organizations preparing for a ransomware attack. We still see organizations fail to take the basic steps mentioned above. This, unfortunately, means that when (not if) ransomware makes it past their security controls, they will not have a proper backup, and the malicious software will be able to spread laterally through the organization’s networks.”


This cyber threat situation is very serious, and the CISA alert highlights the ongoing challenge that health-care organizations, including government-run hospitals, face when being attacked by nation-state actors.

This alert also shows new ways that ransomware is evolving. Any hopes that ransomware would diminish — in breadth or depth of overall threat — in 2022 are basically gone as we pass the halfway point of this year.

My advice is for enterprises to take the situation very seriously and follow the direction provided by CISA in alert AA22-187A.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.