⚠️ Overview

Maui Ransomware is a .NET-based file-encrypting malware first publicly documented in a joint Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) advisory on 29 June 2022 (AA22-187A). It is categorized as a targeted ransomware, primarily attributed to state-sponsored actors linked to the Democratic People’s Republic of Korea (DPRK) — tracked by Mandiant as UNC2363 — who deploy Maui as a manual, human-operated ransomware against healthcare and public health sector organizations in the United States and other countries.

🔧 Technical Capabilities

Maui is written in C# (.NET) and uses the AES-128-CBC symmetric encryption algorithm in Electronic Codebook (ECB) mode to encrypt files, appending a unique 8‑byte marker and a 16‑byte initialization vector to each encrypted file. The malware does not automatically propagate; instead, it is manually dropped via post-exploitation tools such as Cobalt Strike beacons or the Sliver implant framework, often after initial access is gained through unpatched VPN devices (e.g., Log4j vulnerabilities CVE-2021-44228) or spear-phishing. It lacks a built-in network propagation mechanism, relying on the attacker’s manual execution. Persistence is achieved by adding a scheduled task or Windows service named “MauiUpdate” or “MauiSvc”. Evasion techniques include disabling Windows Defender via registry modifications (specifically SOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware) and terminating Volume Shadow Copy Service (VSS) processes before encryption. C2 communication is conducted over HTTPS to hardcoded IP addresses or domains, with the malware periodically beaconing for commands; no public C2 infrastructure has been fully shared in open reports.

📜 History & Notable Incidents

Maui was first detected in malware analysis sandboxes as early as May 2021, but the first widely reported incident occurred in June 2021 targeting a US healthcare provider in the Midwest. The CISA/FBI/MS-ISAC joint advisory (AA22-187A) documented multiple confirmed intrusions against healthcare organizations between May 2021 and June 2022, with victims also reported in the manufacturing and government sectors. No specific CVEs are exclusively associated with Maui itself; rather, it is delivered through exploitation of known vulnerabilities in internet-facing systems, including CVE-2021-44228 (Log4Shell) and CVE-2020-1472 (Zerologon). Law enforcement actions have not directly disrupted the malware family, but the advisory recommends immediate mitigation steps.

🔍 Detection Indicators

File-level IOCs include encrypted files renamed with the original filename plus the extension .maui (e.g., document.pdf.maui) and a ransom note named Maui-README.hta or !!READ_ME_Maui!!.txt placed in each directory. Network IOCs include HTTP requests to IP addresses such as 185.56.80[.]238 and 45.134.20[.]64 (both reported in the advisory). Behavioral indicators: Maui creates a mutex named GlobalMauiMutex to prevent multiple instances, and modifies the registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunMauiUpdate for persistence.

☠️ Risk & Impact

Maui ransomware causes immediate encryption of critical patient data, electronic health records, and diagnostic imaging files, leading to operational shutdown of hospital IT systems. The FBI advisory notes that encryption may be reversible only if victims possess offline backups; however, no public decryption tool exists. Affected sectors predominantly include healthcare and public health (HPH), with financial losses estimated in the millions due to downtime, data recovery costs, and potential ransom payments (though actual payment amounts are rarely disclosed).

🛡️ Mitigation

Organizations should implement network segmentation, apply patches for CVE-2021-44228 and other known vulnerabilities, enable multi-factor authentication for remote access, and maintain offline, immutable backups. Detection rules based on Sigma (e.g., “Maui Ransomware Indicators” from SOC Prime) and YARA rules (e.g., matching the .maui extension and mutex name) are recommended, alongside continuous monitoring with Endpoint Detection and Response (EDR) tools. The CISA advisory (AA22-187A) details comprehensive mitigations including the use of the Microsoft Sysmon tool to log process creation and registry changes.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.