Feds Warn of Threat of Maui Ransomware Attacks By North Korean State-Sponsored Hackers

A joint security alert has been issued to the healthcare and public health sector by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury warning about the threat of Maui ransomware attacks.

Since May 2021, North Korean state-sponsored cyber actors have been targeting organizations in the U.S. healthcare and public health sector and have been encrypting servers that support electronic medical record systems and diagnostic, imaging, and intranet services. These attacks have resulted in data encryption which has disrupted the services provided to patients and, in some cases, has resulted in disruption to services for long periods.

According to the advisory, initial access is gained to healthcare networks and the ransomware is deployed manually. The threat actors use a command-line interface to control the ransomware payload and launch attacks. Healthcare organizations are an attractive target for ransomware threat actors as they are heavily reliant on data for providing their services. Attacks can cause major disruption, loss of revenue,  and can threaten patient safety. As such, healthcare organizations are seen as more likely to pay ransoms and negotiate payments quickly. For this reason, the FBI, CISA, and the Treasury believe that the healthcare and public health sector will continue to be targeted.

The FBI obtained a sample of Maui ransomware and shared technical details based on its analysis. The methods used by North Korean threat actors to gain initial access to healthcare networks are not understood at this stage, but details have been shared about how attacks are conducted, along with indicators of compromise (IoCs) and a list of mitigations that healthcare and public health sector organizations are encouraged to implement as soon as possible.

Please see the HIPAA Journal Privacy Policy

The payment of ransom demands is highly discouraged by the FBI, CISA, and the Treasury. Payment does not guarantee file recovery, further ransom demands may be issued after payment is made, and there is no guarantee that it will be possible to decrypt files after paying the ransom. The alert also draws attention to the risk of sanctions by the Office of Foreign Assets Control (OFAC) of the U.S. Treasury if payment is made.

The alert draws attention to a September 2021 advisory from the Treasury that encourages all entities, including those in the healthcare and public health sector to adopt and improve their cybersecurity practices. When the recommended OFAC measures are implemented, OFAC will be more likely to apparent sanctions violations involving ransomware attacks with a non-public enforcement response.

The FBI says it understands that when a healthcare organization is faced with an inability to function, all options should be evaluated, including paying the ransom to protect shareholders, employees, and patients. In the event of an attack, regardless of whether the ransom is paid, the FBI should be notified, and information shared about the attack, including boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files.

A long list of mitigations has been provided to help healthcare and public health sector organizations improve their defenses against these and other ransomware attacks. The mitigations, IoCs, and technical analysis of Maui ransomware can be found on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.