Threat report • July 6, 2022

Threat report: Maui ransomware

Watch our on-demand Maui ransomware webinar
Topic: Beneath the surface of Maui ransomware that is targeting the healthcare industry
Presenter: Silas Cutler, Principal Reverse Engineer
Watch now

By Silas Cutler, Principal Reverse Engineer

As ransomware has grown to epidemic proportions, the ecosystems of Ransomware-as-a-Service (RaaS) gangs such as Conti, LockBit, and BlackCat have become broadly recognizable. Outside of that ecosystem, there are other ransomware families that often receive less attention, yet are important to study because they can help broaden our understanding of the ways threat actors may conduct extortion operations. 

In June 2022, the Stairwell research team investigated one of these lesser-known families, the Maui ransomware. Maui stood out to us because of a lack of several key features we commonly see with tooling from RaaS providers, such as an embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers. Instead, we believe that Maui is manually operated, in which operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artifacts. 

There are many aspects to Maui ransomware that are unknown, including usage context. The following report will provide a technical overview of the Maui ransomware; our goal with the publication of our findings is to raise awareness of this ransomware and provide a starting point for other researchers.

Read the full report

Silas Cutler


Resident Hacker

You can contact @silascutler on Twitter about this and other research blogs. Silas has over a decade of research on cyber operations from Russia, China, and the People’s Republic of Korea (DPRK). You can read more of his work on some of these threats on the Stairwell blog, including GOLDBACKDOOR and WhisperGate.