A warning has been issued to the healthcare and public health (HPH) sector that North Korean state-sponsored hackers are conducting targeted ransomware attacks using Maui ransomware.
The warning was issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury, and states that targeted campaigns on the HPH sector have been conducted since at least May 2021. Ransomware attacks are conducted to extort money from victims. Access is gained to the network, threat actors then move laterally within the network, and then deploy ransomware that encrypts files. A ransom demand is then issued for the keys to decrypt ransomware.
The attacks prevent access to business-critical information and essential systems are taken offline. It can take weeks or even months to fully recover from the attacks. Attacks on healthcare providers can render patient information inaccessible, taking electronic medical records offline, often disrupting diagnostic and imaging services, and forcing entire computer networks to be taken offline. Appointments often have to be canceled, patients may need to be redirected to other facilities, and there is considerable potential for patients to come to harm. It is for these very reasons that the healthcare industry is targeted, as there is a much greater need to recover quickly, and paying the ransom is often seen as the best way to shorten the recovery time.
There is, however, no guarantee that paying the ransom will accelerate recovery. The attackers may not provide the keys to decrypt files and may not even have the capability to do so. There have been cases where a victim has paid the ransom demand, only to be issued with further demands for payment. Even if the ransom is paid, data loss is common.
In the alert, the federal agencies also drew attention to another issue with paying the ransom. Doing so – especially when the attacks have been conducted on behalf of foreign governments – could involve sanctions risks. The Treasury’s Office of Foreign Assets Control (OFAC) has designated numerous malicious cyber actors under its cyber-related sanctions program, and payments to those groups are prohibited as they pose a risk to national security.
While the FBI said it understands that healthcare organizations may need to consider paying the ransom to lessen the harm caused, it is vital to first check to make sure that the malicious actor is not covered by the OFAC sanctions program, and in all cases, irrespective of whether any ransom is paid, to share information with the FBI and CISA about any detected ransomware attack.
According to an industry analysis of Maui ransomware, it is deployed manually by attackers after gaining access to victims’ networks. The exact method used to gain access to networks in these attacks is not known, but common attack vectors such as the exploitation of vulnerabilities, Remote Desktop Protocol, phishing, and credential stuffing are likely used.
Recommended mitigations have been shared in the alert, along with Indicators of Compromise (IoC) that can be used by network defenders to detect and block attacks in progress. The HPH sector is encouraged to take proactive steps to prevent attacks and improve its monitoring capabilities as there are no signs that the attacks on the HPH sector will stop in the foreseeable future.