NORTH KOREAN STATE ACTORS DEPLOY SURGICAL RAMSOMWARE (MAUI) ON US HEALTHCARE ORGS.
North Korean state-sponsored threat actors targeting organizations in the US healthcare and public health sectors.
The FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and the Treasury Department on Wednesday warned about the attacks are being carried out with a somewhat unusual, manually operated new ransomware tool called “Maui”.
Since May 2021, there have been multiple incidents where threat actors operating the malware have encrypted servers responsible for critical healthcare services, including diagnostic services, electronic health records servers, and imaging servers at organizations in the targeted sectors.
In some instances, the Maui attacks disrupted services at the victim organizations for a prolonged period.
The three agencies said in an advisory.
“The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health.
Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting healthcare and public health sector organizations.”
Designed for Manual Operation
The malware appears developed for manual execution, where a remote attacker interacts with Maui via the command line interface and instructs it to encrypt selected files on the infected machine and exfiltrate the keys back to the attacker.
Silas Cutler, the principal reverse engineer at Stairwell, says the design of Maui’s file-encryption workflow is fairly consistent with other modern ransomware families. What’s different is the absence of a ransom note.
“The lack of an embedded ransom note with recovery instructions is a key missing attribute that sets it apart from other ransomware families”.
How To Stay Protected
Researchers say that to protect themselves, healthcare organizations should invest in a solid backup strategy.
Healthcare organizations should also take all precautions to segment their networks and isolate environments to prevent the lateral spread of ransomware.
Avivi notes in an email these basic cyber-hygiene steps are a much better route for organizations preparing for a ransomware attack [than stockpiling Bitcoins to pay a ransom]. We still see organizations fail to take the basic steps mentioned. This, unfortunately, means that when ransomware makes it past their security controls, they will not have a proper backup, and the malicious software will be able to spread laterally through the organization’s networks.
