HPH Sector Warned of Targeted Ransomware Attacks by North Korean State-sponsored Hackers

A warning has been issued to the healthcare and public health (HPH) sector that North Korean state-sponsored hackers are conducting targeted ransomware attacks using Maui ransomware.

The warning was issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury, and states that targeted campaigns on the HPH sector have been conducted since at least May 2021. Ransomware attacks are conducted to extort money from victims. Access is gained to the network, threat actors then move laterally within the network, and then deploy ransomware that encrypts files. A ransom demand is then issued for the keys to decrypt ransomware.

The attacks prevent access to business-critical information and essential systems are taken offline. It can take weeks or even months to fully recover from the attacks. Attacks on healthcare providers can render patient information inaccessible, taking electronic medical records offline, often disrupting diagnostic and imaging services, and forcing entire computer networks to be taken offline. Appointments often have to be canceled, patients may need to be redirected to other facilities, and there is considerable potential for patients to come to harm. It is for these very reasons that the healthcare industry is targeted, as there is a much greater need to recover quickly, and paying the ransom is often seen as the best way to shorten the recovery time.

There is, however, no guarantee that paying the ransom will accelerate recovery. The attackers may not provide the keys to decrypt files and may not even have the capability to do so. There have been cases where a victim has paid the ransom demand, only to be issued with further demands for payment. Even if the ransom is paid, data loss is common.

In the alert, the federal agencies also drew attention to another issue with paying the ransom. Doing so – especially when the attacks have been conducted on behalf of foreign governments – could involve sanctions risks. The Treasury’s Office of Foreign Assets Control (OFAC) has designated numerous malicious cyber actors under its cyber-related sanctions program, and payments to those groups are prohibited as they pose a risk to national security.

While the FBI said it understands that healthcare organizations may need to consider paying the ransom to lessen the harm caused, it is vital to first check to make sure that the malicious actor is not covered by the OFAC sanctions program, and in all cases, irrespective of whether any ransom is paid, to share information with the FBI and CISA about any detected ransomware attack.

According to an industry analysis of Maui ransomware, it is deployed manually by attackers after gaining access to victims’ networks. The exact method used to gain access to networks in these attacks is not known, but common attack vectors such as the exploitation of vulnerabilities, Remote Desktop Protocol, phishing, and credential stuffing are likely used.

Recommended mitigations have been shared in the alert, along with Indicators of Compromise (IoC) that can be used by network defenders to detect and block attacks in progress. The HPH sector is encouraged to take proactive steps to prevent attacks and improve its monitoring capabilities as there are no signs that the attacks on the HPH sector will stop in the foreseeable future.

About Ryan Coyne 218 Articles
Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan’s professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn https://www.linkedin.com/in/ryancoyne/ and follow on Twitter https://twitter.com/ryancoyne