"Report Provides Updates on July's Maui Ransomware Incident"

Security researchers from Kaspersky have recently published a new advisory providing additional technical details and attribution findings regarding the Maui ransomware incident unveiled by the Cybersecurity and Infrastructure Security Agency (CISA) in July.  The researchers extended CISA’s “first seen” date from May 2021 to April 15, 2021, and the geolocation of the target to other countries, including Japan, India, Vietnam, and Russia.  The researchers noted that because the malware in this early incident was compiled on April 15th, 2021, and compilation dates are the same for all known samples, this incident is possibly the first ever involving the Maui ransomware.  The researchers also linked the ransomware to a North Korean actor.  The researchers determined that approximately 10 hours before deploying Maui to the initial target system, the group deployed a variant of the well-known DTrack malware to the target.  Specifically, the Kaspersky Threat Attribution Engine (KTAE) noticed the DTrack malware from the victim contained a high degree of code similarity (84%) with previously known DTrack malware.  The researchers stated that this data point and others should openly help solidify the attribution to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly, with low to medium confidence.

Infosecurity reports: "Report Provides Updates on July's Maui Ransomware Incident"