Maui ransomware
Contents
Maui ransomware
Threat report
Silas Cutler, Principal Reverse Engineer
06/07/2022
Maui ransomware
THREAT REPORT
Table of contents
Technical overview
3
Encryption
4
Hard-coded public key
5
Runtime keys
6
File encryption
6
Appendix
8
PoC key extractor
8
YARA rules
9
Files
10
2
060722
Maui ransomware
THREAT REPORT
As ransomware has grown to epidemic proportions, the ecosystems of Ransomware-as-a-Service
(RaaS) gangs such as Conti, LockBit, and BlackCat have become broadly recognizable. Outside of that
ecosystem, there are other ransomware families that often receive less attention, yet are important to
study because they can help broaden our understanding of the ways threat actors may conduct
extortion operations.
In June 2022, the Stairwell research team investigated one of these lesser-known families, the Maui
ransomware. Maui stood out to us because of a lack of several key features we commonly see with
tooling from RaaS providers, such as an embedded ransom note to provide recovery instructions or
automated means of transmitting encryption keys to attackers. Instead, we believe that Maui is
manually operated, in which operators will specify which files to encrypt when executing it and then
exfiltrate the …
Threat report
Silas Cutler, Principal Reverse Engineer
06/07/2022
Maui ransomware
THREAT REPORT
Table of contents
Technical overview
3
Encryption
4
Hard-coded public key
5
Runtime keys
6
File encryption
6
Appendix
8
PoC key extractor
8
YARA rules
9
Files
10
2
060722
Maui ransomware
THREAT REPORT
As ransomware has grown to epidemic proportions, the ecosystems of Ransomware-as-a-Service
(RaaS) gangs such as Conti, LockBit, and BlackCat have become broadly recognizable. Outside of that
ecosystem, there are other ransomware families that often receive less attention, yet are important to
study because they can help broaden our understanding of the ways threat actors may conduct
extortion operations.
In June 2022, the Stairwell research team investigated one of these lesser-known families, the Maui
ransomware. Maui stood out to us because of a lack of several key features we commonly see with
tooling from RaaS providers, such as an embedded ransom note to provide recovery instructions or
automated means of transmitting encryption keys to attackers. Instead, we believe that Maui is
manually operated, in which operators will specify which files to encrypt when executing it and then
exfiltrate the …
IoC
2b60cac8db23c4cc7ab5df262da42b78
321b866428aa04360376e6a390063570
45d8ac1ac692d6bb0fe776620371fca0
5b7ecf7e9d0715f1122baf4ce745c5fc
5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e
830207029d83fd46a4a89cd623103ba2
d769dee48150616753fec4d6da16e99e
rule MauiRansomware
{
meta:
author= "Silas Cutler ([email protected])"
description = "Detection for Maui Ransomware"
version = "0.1"
strings:
$ = "Unable to read public key info." wide
$ = "it by <Godhead> using -maui option." wide
$ = "Incompatible public key version." wide
$ = "maui.key" wide
$ = "maui.evd" wide
$ = "Unable to encrypt private key" wide
$ = "Unable to create evidence file" wide
$ = "PROCESS_GOINGON[%d%% / %d%%]: %s" wide
$ = "demigod.key" wide
$ = "Usage: maui [-ptx] [PATH]" wide
$ = "-p dir: Set Log Directory (Default: Current Directory)" wide
$ = "-t n:
Set Thread Count (Default: 1)" wide
$ = "-x:
Self Melt (Default: No)" wide
// File header loading (x32-bit)
$ = { 44 24 24 44 49 56 45 ?? 44 24 28 01 00 00 00 ?? 44 24 2C 10 00 00 00 }
$ = { 44 4F 47 44 ?? ?? 04 01 00 00 00 }
condition:
3 of them or
(
uint32(filesize-8) == 0x00000001 and
uint32(filesize-12) == 0x5055424B
)
}
321b866428aa04360376e6a390063570
45d8ac1ac692d6bb0fe776620371fca0
5b7ecf7e9d0715f1122baf4ce745c5fc
5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e
830207029d83fd46a4a89cd623103ba2
d769dee48150616753fec4d6da16e99e
rule MauiRansomware
{
meta:
author= "Silas Cutler ([email protected])"
description = "Detection for Maui Ransomware"
version = "0.1"
strings:
$ = "Unable to read public key info." wide
$ = "it by <Godhead> using -maui option." wide
$ = "Incompatible public key version." wide
$ = "maui.key" wide
$ = "maui.evd" wide
$ = "Unable to encrypt private key" wide
$ = "Unable to create evidence file" wide
$ = "PROCESS_GOINGON[%d%% / %d%%]: %s" wide
$ = "demigod.key" wide
$ = "Usage: maui [-ptx] [PATH]" wide
$ = "-p dir: Set Log Directory (Default: Current Directory)" wide
$ = "-t n:
Set Thread Count (Default: 1)" wide
$ = "-x:
Self Melt (Default: No)" wide
// File header loading (x32-bit)
$ = { 44 24 24 44 49 56 45 ?? 44 24 28 01 00 00 00 ?? 44 24 2C 10 00 00 00 }
$ = { 44 4F 47 44 ?? ?? 04 01 00 00 00 }
condition:
3 of them or
(
uint32(filesize-8) == 0x00000001 and
uint32(filesize-12) == 0x5055424B
)
}