
North Korea Attacks Health Sector With Maui Ransomware
On July 6, 2022, CISA issued a new national cyber awareness system alert (AA22-187A). Here’s what you need to know — and do next.
U.S. federal agencies issued a joint advisory on July 6, warning that North Korean state-sponsored cyber actors are targeting the health sector using Maui ransomware. The operators of this ransomware have been allegedly using it to encrypt servers that hold sensitive health records, imaging services and more, before demanding a ransom to free the servers.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) are releasing this joint Cybersecurity Advisory (CSA) to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.
This joint CSA provides information — including tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) — on Maui ransomware obtained from FBI incident response activities and industry analysis of a Maui sample. The FBI, CISA, and Treasury urge HPH Sector organizations as well as other critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the likelihood of compromise from ransomware operations. Victims of Maui ransomware should report the incident to their local FBI field office or CISA.
The FBI, CISA, and Treasury highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks. Note: in September 2021, Treasury issued an updated advisory highlighting the sanctions risks associated with ransomware payments and the proactive steps companies can take to mitigate such risks. Specifically, the updated advisory encourages U.S. entities to adopt and improve cybersecurity practices and report ransomware attacks to, and fully cooperate with, law enforcement. The updated advisory states that when affected parties take these proactive steps, Treasury’s Office of Foreign Assets Control (OFAC) would be more likely to resolve apparent sanctions violations involving ransomware attacks with a non-public enforcement response.
For more information on state-sponsored North Korean malicious cyber activity, see CISA’s North Korea Cyber Threat Overview and Advisories webpage. Download the PDF version of this report: pdf, 553 kb.
MEDIA COVERAGE OF THE NEW MAUI RANSOMWARE THREAT
The Register — “Here today, gone to Maui: That’s your data captured by North Korean ransomware”: “For the past year, state-sponsored hackers operating on behalf of North Korea have been using ransomware called Maui to attack healthcare organizations, US cybersecurity authorities said on Wednesday.
BleepingComputer —US govt warns of Maui ransomware attacks against healthcare orgs”: “According to a threat report authored by Stairwell principal reverse engineer Silas Cutler, Maui ransomware is manually deployed across compromised victims’ networks, with the remote operators targeting specific files they want to encrypt.
Dark Reading — “North Korean State Actors Deploy Surgical Ransomware in Ongoing Cyberattacks on US Healthcare Orgs”: “Silas Cutler, principal reverse engineer at Stairwell, says the design of Maui’s file-encryption workflow is fairly consistent with other modern ransomware families. What’s really different is the absence of a ransom note.
ANOTHER INDUSTRY PERSPECTIVE
FINAL THOUGHTS
See More Stories by Dan Lohrmann
*** This is a Security Bloggers Network syndicated blog from Lohrmann on Cybersecurity authored by Lohrmann on Cybersecurity. Read the original post at: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/north-korea-attacks-health-sector-with-maui-ransomware