Here today, gone to Maui: That's your data captured by North Korean ransomware
CISA, FBI, US Treasury warn Kim Jong-un's latest malware has hit healthcare orgs
For the past year, state-sponsored hackers operating on behalf of North Korea have been using ransomware called Maui to attack healthcare organizations, US cybersecurity authorities said on Wednesday.
Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Treasury Department issued a joint advisory outlining a Pyongyang-orchestrated ransomware campaign that has been underway at least since May, 2021.
The initial access vector – the way these threat actors break into organizations – is not known. Even so, the FBI says it has worked with multiple organizations in the healthcare and public health (HPH) sector infected by Maui ransomware.
"North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services – including electronic health records services, diagnostics services, imaging services, and intranet services," the joint security advisory [PDF] reads. "In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods."
The Feds assume the reason HPH sector organizations have been targeted is that they will pay ransoms rather than risk being locked out of systems, being denied data, or having critical services interrupted.
Maui, according to Silas Cutler, principal reverse engineer at security outfit Stairwell, is one of the lesser known families of ransomware. He says it stands out for its lack of service-oriented tooling, such as an embedded ransom note with recovery instructions. That leads him to believe Maui is operated manually by individuals who specify which files should be encrypted and exfiltrated.
- FBI warns of North Korean cyberspies posing as foreign IT workers
- North Korea says it's launched a third hypersonic missile, this time reaching Mach 10
- North Korea pulled in $400m in cryptocurrency heists last year – report
- Cryptocurrency laundromat Blender shredded by US Treasury in sanctions first
The advisory, based on Stairwell's research [PDF], indicates that the Maui ransomware is an encryption binary that a remote operator manually executes through command line interaction. The ransomware deploys AES, RSA, and XOR encryption to lock up target files. Thereafter, the victim can expect a ransom payment demand.
According to SonicWall, there were 304.7 million ransomware attacks in 2021, an increase of 151 percent. In healthcare, the percentage increase was 594 percent.
CrowdStrike, another security firm, in its 2022 Global Threat Report said North Korea has shifted its focus to cryptocurrency entities "in an effort to maintain illicit revenue generation during economic disruptions caused by the pandemic." For example, consider the recent theft of $100 million of cryptocurrency assets from Harmony by the North Korea-based cybercrime group Lazarus. But organizations that typically transact with fiat currencies aren't off the hook.
Sophos, yet another security firm, said in its State of Ransomware Report 2022 that the average ransom payment last year was $812,360, a 4.8X increase from the 2020 when the average payment was $170,000. The company also said more victims are paying ransoms: 11 percent in 2021 compared to 4 percent in 2020.
The advisory discourages the payment of ransoms. Nonetheless, the FBI is asking any affected organization to share information related to ransomware attacks, such as communication with foreign IP addresses, Bitcoin wallet details, and file samples. The advisory goes on to suggest ways to mitigate ransomware attacks and minimize damage.
Last month, the US Justice Department outlined its Strategic Plan for the next four years and cited enhancing cybersecurity and fighting cybercrime among its objectives. One of its key metrics for success will be the "percent of reported ransomware incidents from which cases are opened, added to existing cases, or resolved or investigative actions are conducted within 72 hours." ®