Skip to main content

North Korean Attackers Targeting Healthcare Orgs with Maui Ransomware

by Chris Brook on Wednesday July 6, 2022

Contact Us
Free Demo
Chat

A new Cybersecurity Advisory via the FBI, CISA, and the U.S. Treasury is warning that cyber actors with the DPRK have been using the ransomware since May 2021.

Cyberattacks, unfortunately for many years now, have made working at healthcare organizations a challenge. That in and of itself isn't news but the U.S. government is warning that of late, some attackers, based in North Korea, have made it even harder by deploying a relatively new strain of ransomware on systems that’s been taking out servers responsible for many essential, day-to-day activities, like helping managing electronic health records (EHRs) and medical imaging.

In a joint advisory published by three government agencies – the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the U.S. Treasury Department – the U.S. warned organizations in the healthcare and public health sector on Wednesday that North Korean attackers have been carrying out attacks with Maui, a strain of ransomware.

Adversaries have been using the ransomware in attacks to encrypt servers used in routine hospital and healthcare work, like those responsible for medical imaging, accessing EHRs, diagnostics services, and facilitating intranet services.

While the FBI didn’t disclose exactly which organizations were hit or how exactly their systems were breached. It did say that in some cases, the attacks led to lengthy disruptions, something that as previous incidents have shown, can have an adverse effect on patient health and morale.

It’s unclear what’s prompted the advisory. The FBI claims it has been responding to incidents involving Maui since May 2021 but it doesn’t specify how many incidents it has seen in 2022 so far.

As some experts, including Mandiant’s John Hultquist, have theorized on Twitter, it wouldn’t be a surprise if attackers were attempting to monetize their remaining access - access initially gained in the middle of the COVID-19 pandemic - as their cyber espionage efforts are winding down.

The joint advisory cites research on Maui recently carried out by Stairwell, a company that helps security teams carry out threat hunting, detection, and response. In it, researchers posit the ransomware – which uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption - has been designed for manual execution by a remote actor using a command-line interface to interact with it and identify which files are worth encrypting.

"We believe that Maui is manually operated, in which operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artifacts," Silas Cutler, a principal reverse engineer with the firm wrote today.

While Stairwell claims the earlier identified copy of the malware was collected by its researchers, it contained a compilation timestamp of April 15, 2021, a date which coincides to the FBI’s claim that attacks date back to May 2021.

To mitigate the ransomware, the government groups are encouraging organizations to review indicators of compromise associated with Maui, in addition to following best practices like limiting access to data, turning off network device management interfaces, and securing personally identifiable information and other stored data, including PHI, to industry regulations.

Tags:  Ransomware

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.