North Korean cyberattacks target US healthcare with Maui ransomware

7 Jul 2022

Image: © Sashkin/Stock.adobe.com

The FBI has identified a state-sponsored ransomware campaign targeting critical services in the US and has warned organisations to be prepared.

US bodies have issued a joint warning on Maui ransomware being used by North Korean threat actors.

The FBI, the US Cybersecurity and Infrastructure Security Agency (CISA) and the US Treasury issued the cybersecurity advisory yesterday (6 July).

It stated that Maui ransomware has been used for state-sponsored cyberattacks from North Korea on the US public health sector since at least May 2021.

In that time, the FBI has responded to multiple Maui ransomware incidents involving public health bodies. The ransomware has been used to encrypt servers used for essential healthcare services such as electronic health records, diagnostics, imaging and intranet. Disruption in some cases went on for prolonged periods.

The initial access vector for these incidents is not yet known. What the FBI has learned is that Maui appears to be designed for manual execution by a remote actor using a command line interface. This is used to interact with the malware and identify the files to encrypt.

This correlates with details in a threat report on Maui issued by Stairwell on the same day.

Maui is a lesser-known ransomware family than the more notorious Conti, and Stairwell’s principal reverse engineer Silas Cutler said it stood out “because of a lack of several key features we commonly see with tooling from [ransomeware-as-a-service] providers, such as an embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers”.

The earliest identified copy of Maui was first spotted by Stairwell’s inception platform in April this year, but all copies identified by the cybersecurity firm share a compilation timestamp dated to April 2021.

Ransomware attacks on healthcare providers are not unusual. Ireland was hit by such a ransomware attack when the Health Service Executive (HSE) was targeted in May 2021. This attack used Conti ransomware.

“These groups are targeting healthcare organisations on purpose because they know the emotional impact of doing so will help them force the extortion payments,” said Adam Flatley, director of threat intelligence at Redacted and member of the US ransomware task force.

“It’s critical that governments and the private sector not only help with preparation and resilience to mitigate ransomware attacks, but also bring tangible consequences to the threat actors,” Flatley added. “What is still missing is a well-coordinated public-private campaign against them to dismantle their criminal organisations.”

Paying ransoms to the Maui cyberattackers is highly discouraged and the US advisory notes that paying out to North Korean attackers could pose sanctions risks.

It is also widely agreed by cybersecurity experts that paying ransoms does not guarantee files and records will be recovered and can also encourage further attacks.

The various US agencies have advised healthcare providers and other critical infrastructure services to take action to reduce the chance of an attack.

Suggested measures include limiting access to data through a public key infrastructure and digital certificates to authenticate all connections with a network, including internet of things and medical devices.

The advisory also recommends enhanced security measures from strong passwords to encryption and firewalls, to limiting access to administrator privileges.

To prepare for an attack, organisations are advised to maintain offline, encrypted back-ups of data and regularly test these in order to restore services in case of emergency.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Elaine Burke is the editor of Silicon Republic

editorial@siliconrepublic.com