---
title: "Threat Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector | DuoCircle"
description: "This article provides an overview of the joint Cybersecurity Advisory (CSA) issued by the Federal Bureau of Investigation (FBI)."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/phishing-protection/threat-actors-use-maui-ransomware-to-target-the-healthcare-and-public-health-sector/"
---

Quick Answer

FBI, CISA, and US Treasury issued a joint Cybersecurity Advisory in July 2022 warning that North Korean state-sponsored actors had been using Maui ransomware against US Healthcare and Public Health (HPH) sector organizations since May 2021\. Maui targeted electronic health records, diagnostics, imaging, and intranet services, encrypting systems that clinics and hospitals could not function without. Unlike most ransomware, Maui appears to be operated manually by an attacker who selects which files to encrypt rather than running automated mass encryption. The advisory recommended: do not pay (Treasury sanctions DPRK-affiliated payments), maintain offline backups, keep operating systems and software patched, train users on phishing, deploy MFA everywhere, segment networks, monitor for unusual administrative activity, and report incidents to FBI and CISA. Healthcare ransomware is a patient-safety issue: encrypted systems delay treatment and have been linked to mortality increases.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fphishing-protection%2Fthreat-actors-use-maui-ransomware-to-target-the-healthcare-and-public-health-sector%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Threat%20Actors%20Use%20Maui%20Ransomware%20to%20Target%20the%20Healthcare%20and%20Public%20Health%20Sector&url=undefined%2Fblog%2Fphishing-protection%2Fthreat-actors-use-maui-ransomware-to-target-the-healthcare-and-public-health-sector%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fphishing-protection%2Fthreat-actors-use-maui-ransomware-to-target-the-healthcare-and-public-health-sector%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fphishing-protection%2Fthreat-actors-use-maui-ransomware-to-target-the-healthcare-and-public-health-sector%2F&title=Threat%20Actors%20Use%20Maui%20Ransomware%20to%20Target%20the%20Healthcare%20and%20Public%20Health%20Sector "Share on Reddit") [ ](mailto:?subject=Threat%20Actors%20Use%20Maui%20Ransomware%20to%20Target%20the%20Healthcare%20and%20Public%20Health%20Sector&body=Check out this article: undefined%2Fblog%2Fphishing-protection%2Fthreat-actors-use-maui-ransomware-to-target-the-healthcare-and-public-health-sector%2F "Share via Email") 

![Maui Ransomware](https://media.mailhop.org/duocircle/images/2022/07/dmarc-report-7562.jpg) 

_This article provides an overview of the joint Cybersecurity Advisory (CSA) issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) on the Maui ransomware, which has been used by North Korean state-sponsored cyber actors to attack Healthcare and Public Health (HPH) Sector organizations._

Since May 2021, the FBI has noticed and reacted to various Maui ransomware attacks against HPH (Healthcare and Public Health) sector organizations. In these attacks, North Korean state-sponsored cyber attackers employed Maui ransomware to encrypt systems responsible for healthcare services such as electronic health records, diagnostics, imaging, and intranet services. Not only this, but these attacks also caused long-term disruptions in the service rendered by the targeted HPH Sector organizations.

Let’s examine it in more detail.

## **How is Maui Being Used?**

It is believed that the North Korean state-sponsored cyber attackers target healthcare institutions because they believe that they are prepared to pay the ransom, as they provide services that are essential to human life and health. The hackers mostly use Remote Desktop Protocol (RDP) vulnerabilities to gain access to victims’ networks, encrypt the victims’ files, and leave a ransom note with communication instructions in every folder holding an encrypted file. This is often accompanied by a message that asks the victims to send ransom money to a specified Bitcoin wallet address. Let us see what Maui ransomware actually is and what measures have been issued by the joint cybersecurity advisory.

## **What is** **Maui Ransomware?**

Maui ransomware (maui.exe) is a binary encryption virus. According to an industry examination of a Maui sample presented in the [Stairwell Threat Report](https://stairwell.com/news/threat-research-report-maui-ransomware/): Maui Ransomware, the ransomware appears to be built for manual execution by a remote actor that interacts with the virus and identifies files to encrypt via a command-line interface.

## **How Does Maui Function?**

Maui encrypts target files using a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption. 

1. Maui utilizes AES 128-bit encryption to encrypt target files where each encrypted file has its own AES key, and each file has a custom header detecting the file’s original path that helps Maui to recognize previously encrypted files.
2. Maui also encrypts each AES key using RSA encryption since it loads the RSA public and private keys in the same directory.
3. According to the advisory, Maui also uses XOR encryption to encrypt the RSA public key (maui. key). The XOR key is produced using information from the hard disc.
4. Maui generates a temporary file for each file it encrypts. It produces maui.log after encrypting files, which is said to include outputs from Maui execution.

[![Ransomware](https://media.mailhop.org/duocircle/images/2022/07/smtp-7563.jpg)](https://media.mailhop.org/duocircle/images/2022/07/smtp-7563.jpg)

## **Mitigation Measures for Maui Ransomware**

The FBI, CISA, and Treasury have issued mitigation measures for the Healthcare and Public Health (HPH) Sector and other critical infrastructure organizations to prepare for, mitigate/prevent, and respond to ransomware incidents.

1. **_Limited data access:_** HPH sector organizations need to limit data access by deploying public key infrastructure and digital certificates to verify connections with the network, Internet of Things (IoT) medical devices, and the electronic health record system. They should also be sure that data packages are not manipulated while in transit due to man-in-the-middle attacks.
2. **_Use standard user accounts:_** On internal systems, HPH sector organizations must utilize standard user accounts rather than administrative accounts.
3. **_Turn off network device management interfaces:_** Disable Telnet, SSH, Winbox, and HTTP for wide area networks (WANs) and secure them with strong passwords and encryption.
4. **_Secure systems:_** Secure the collection, storage, and processing practices for PII (Personally Identifiable Information) and PHI, per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures can prevent the introduction of malware to the system.
5. **_Use multi-level authentication:_** Implement multilayer network segmentation so that the most sensitive communications and data are confined to the most reliable and secure layer.
6. **_Review Internal Policies Regularly:_** Ensure that internal policies governing the collection, storage, access, and monitoring of PII/PHI are created and reviewed on a regular basis.

Furthermore, the FBI, CISA, and the Treasury have recommended that all businesses, including those in the HPH Sector, follow the advice below when dealing with ransomware situations.

## **How to Prepare for Ransomware Attacks?**

Maintaining offline data records and testing backup and restoration regularly go a long way in recovering from ransomware attacks. This ensures that operations continue uninterrupted during a ransomware attack and safeguards against data loss.

One must also ensure that all backup data is secured. Protected data should include the complete data architecture of the organization. Every organization should make, keep, and practice a basic cyber event response plan. Besides, organizations should also ensure that their incident response and communications strategies contain methods for responding to and notifying victims of data breaches.

## **How to Prevent Ransomware Attacks?**

CSA includes certain measures that can be adopted to prevent ransomware at first instance.

1. Implement a user [training program](/email-security/the-importance-of-email-security-for-the-education-sector/), including [phishing exercises](/email-security/cybersecurity-best-practices-for-the-healthcare-industry-in-2022/), to educate users about the dangers of visiting suspicious websites, clicking on suspicious links, and downloading suspicious attachments.
2. Install operating system, software, and firmware upgrades as soon as they are available.
3. Use strong passwords and avoid using the same password across different accounts. Consider including an email banner in communications sent from outside your organization.
4. Turn off hyperlinks in received emails.
5. Installing software necessitates administrator privileges.
6. Install and keep antivirus and antimalware software up to date on all hosts.
7. Use only secure networks and avoid public Wi-Fi networks.

[![phishing exercises](https://media.mailhop.org/duocircle/images/2022/07/buy-smtp-7564.jpg)](https://media.mailhop.org/duocircle/images/2022/07/buy-smtp-7564.jpg)

## **How to Handle Ransomware Incidents**

If a ransomware attack hits your organization, you can take the following steps:

- Look for backups of your data. If feasible, scan backup data using an antivirus program to ensure that it is malware-free. To prevent exposing backups to potential compromise, execute this step on an isolated, trustworthy server.
- Observe and follow the notification standards established in your cyber incident response strategy.
- You can contact the FBI at a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the US Secret Service (USSS) at a USSS Field Office to report any incidents.

## **Roadway Ahead-Request for Information**

North Korean state-sponsored cyber actors are likely to believe that healthcare institutions are prepared to pay ransoms since these organizations provide services that are important to human life and health. As previously indicated, the FBI discourages paying ransoms. Payment does not ensure file recovery and may empower attackers to attack more organizations, encourage other criminal actors to engage in ransomware dissemination, and support unlawful operations.

Regardless of whether you or your organization choose to pay the ransom, the FBI, CISA, and Treasury urge you to swiftly report ransomware instances to the FBI at a local FBI Field Office. This would provide important information to the US government in order to avoid future attacks by identifying and tracing ransomware actors and making them responsible under US law.

## **Final Words**

With growing attacks, it is reasonable to conclude that every organization should implement methods, techniques, and processes published under the joint Cybersecurity Advisory (CSA) to prevent Maui ransomware from impacting them. The measures listed above serve as a road map for ransomware prevention, identification, and remediation.

## Topics

NewsSecurityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  Phishing 5m  10 Applications of ChatGPT that Hackers Are Already Exploiting  May 3, 2023 ](/blog/phishing-protection/10-applications-of-chatgpt-that-hackers-are-already-exploiting/)[  Phishing 7m  A Summary of Forescout’s OT: ICEFALL Outlining 56 Vulnerabilities in Vendors Worldwide  Jul 5, 2022 ](/blog/phishing-protection/a-summary-of-forescouts-ot-icefall-outlining-56-vulnerabilities-in-vendors-worldwide/)[  Phishing 6m  Default Email Security Offering Turning Obsolete, a Threat to SMBs and SMEs  Apr 4, 2023 ](/blog/phishing-protection/default-email-security-offering-turning-obsolete-a-threat-to-smbs-and-smes/)[  Phishing 6m  How to be Cyber Smart: The Best Cybersecurity Tips to Empower Your Team this Cybersecurity Awareness Month  Oct 13, 2022 ](/blog/phishing-protection/how-to-be-cyber-smart-the-best-cybersecurity-tips-to-empower-your-team-this-cybersecurity-awareness-month/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Threat Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector","description":"This article provides an overview of the joint Cybersecurity Advisory (CSA) issued by the Federal Bureau of Investigation (FBI).","url":"https://www.duocircle.com/blog/phishing-protection/threat-actors-use-maui-ransomware-to-target-the-healthcare-and-public-health-sector/","datePublished":"2022-07-12T19:17:06.000Z","dateModified":"2025-05-28T11:36:41.000Z","dateCreated":"2022-07-12T19:17:06.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/phishing-protection/threat-actors-use-maui-ransomware-to-target-the-healthcare-and-public-health-sector/"},"articleSection":"phishing-protection","keywords":"News, Security, Updates","wordCount":1174,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2022/07/dmarc-report-7562.jpg","caption":"Maui Ransomware","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Phishing"},{"@type":"ListItem","position":3,"name":"Threat Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector","item":"https://www.duocircle.com/blog/phishing-protection/threat-actors-use-maui-ransomware-to-target-the-healthcare-and-public-health-sector/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Phishing","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Threat Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector","item":"https://www.duocircle.com/blog/phishing-protection/threat-actors-use-maui-ransomware-to-target-the-healthcare-and-public-health-sector/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Threat Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector","description":"This article provides an overview of the joint Cybersecurity Advisory (CSA) issued by the Federal Bureau of Investigation (FBI).","url":"https://www.duocircle.com/blog/phishing-protection/threat-actors-use-maui-ransomware-to-target-the-healthcare-and-public-health-sector/","datePublished":"2022-07-12T19:17:06.000Z","dateModified":"2025-05-28T11:36:41.000Z","dateCreated":"2022-07-12T19:17:06.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/phishing-protection/threat-actors-use-maui-ransomware-to-target-the-healthcare-and-public-health-sector/"},"articleSection":"phishing-protection","keywords":"News, Security, Updates","wordCount":1174,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2022/07/dmarc-report-7562.jpg","caption":"Maui Ransomware","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```