Close-up of female doctor working on laptop showing ransomware attacks on healthcare organizations

US Agencies Warn About North Korean Ransomware Attacks on Healthcare Organizations

US federal agencies warned about Maui ransomware attacks against healthcare organizations. The joint advisory by the FBI, CISA, and the U.S. Treasury Department warned that North Korean state-sponsored hackers targeted US Healthcare and Public Health Sector organizations (HPH) with the Maui ransomware variant.

“North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services.”

CISA noted that Maui ransomware attacks had disrupted healthcare organizations for “prolonged periods.”  Since May 2021, the federal law enforcement agency FBI has responded to several Maui ransomware incidents.

US authorities expect more Maui ransomware attacks on healthcare organizations

The US federal agencies stated that North Korean hackers assumed that US healthcare organizations were willing to pay a ransom to avoid disruption and protect sensitive data.

“The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” the joint cybersecurity advisory warned.

Consequently, the agencies discouraged healthcare organizations from paying ransoms to the North Korean threat actors. Additionally, the agencies warned that paying ransoms could not guarantee data recovery and would violate existing U.S sanctions on North Korea.

Maui ransomware variant does not require external infrastructure

An analysis of Maui ransomware samples used against healthcare organizations shows they were compiled on April 15, 2021.

However, unlike other ransomware variants, Maui does not require external infrastructure to generate encryption keys. Instead, it requires manual execution by remote attackers via a command-line interface.

“Most modern malware operators have some aspect of manual behavior … at least the advanced ones,” John Bambenek, Principal Threat Hunter at Netenrich, said. “For truly organizational crippling ransomware attacks, threat actors need to manually identify the important assets and the weak points to truly take down a victim.”

Additionally, Maui does not indiscriminately encrypt networks but requires the attackers to select the files to encrypt. Maui ransomware also does not create ransom notes on compromised systems.

“By targeting specific files, the attackers get to choose what is sensitive and what to exfiltrate in a much more tactical fashion when compared to a ‘spray-and-pray’ ransomware,” Tim McGuffin, Director of Adversarial Engineering at LARES Consulting, said.

According to Silas Cutler, Principal Reverse Engineer at Stairwell, Maui ransomware encrypts each file using a 128-bit AES key.

Additionally, the AES key is encrypted using the RSA algorithm with key-value pairs generated on the first run. Similarly, the key-value pairs are encrypted using a hard-coded RSA public key stored in the malware.

However, researchers have not established if the hard-coded key remains the same or changes with each campaign.

How to protect healthcare organizations from Maui ransomware attack

The agencies could not determine the attack vector used in the Maui ransomware attacks on healthcare organizations.

“Since the onset of the COVID-19 pandemic, we’ve seen threat actors leverage this global crisis to target healthcare organizations — stealing this highly valuable patient data and creating general unrest,” noted Stephan Chenette, Co-Founder and CTO at AttackIQ.

The advisory did not disclose whether threat actors stole valuable patient data for double extortion purposes.

“This Maui campaign is interesting in that a ransomware campaign is being selective, however, if North Korea is really involved, then it is conceivable that the ransomware activities are only an after-thought for when attackers have exfiltrated the selected data that they want before initiating the encryption of files to block access,” Aaron Turner, CTO, SaaS Protect at Vectra, said.

Turner suggested that the campaign was a combination of ransomware, intellectual property theft, and industrial espionage.

Meanwhile, the federal agencies published the indicators of compromise (IoCs) associated with the Maui ransomware variant and mitigations.

They recommended maintaining offline backups, implementing cyber incident response plans, and keeping software updated.

“To best defend against Maui ransomware attacks, it’s important to understand the common tactics, techniques and procedures used by the adversary,” Chenette added. “In doing so, organizations can build more resilient security detection, prevention and response programs mapped specifically to those known behaviors.”

The agencies advised healthcare organizations and other critical infrastructure organizations to implement the recommendations to keep North Korean hackers at bay.

Healthcare industry under attack

Healthcare organizations are lucrative targets for cyber attacks. Some high-profile organizations have fallen victim to ransomware attacks and data breaches in the past 12 months.

“The healthcare industry is one of the largest targets for cybercriminals due to protected health information (PHI) being extremely profitable on dark web marketplaces,” Chenette said. “This is because healthcare data usually contains fixed information, such as dates of birth and Social Security Numbers, which hackers can use to commit identity theft for years to come.”

Chenette suggested that healthcare organizations adopt a “threat-informed cyber-defense strategy,” focusing on adversaries most likely to impact their operations.

“This should include mapping their security controls to specific attack scenarios, aligned to the MITRE ATT&CK® framework, to measure an organization’s cybersecurity readiness for the attacks that are sure to come.”

Additionally, organizations should automate their solutions to validate their defensive capabilities against various ransomware threats.