Content, Ransomware

Feds Issue Warning for North Korean-backed Ransomware Hijackers

While the well-known ransomware strains LockBit and Conti regularly plague the healthcare sector, a new North Korean-backed entry dubbed Maui is garnering enough attention that three federal agencies have jointly issued a communique regarding its danger to U.S. Healthcare and Public Health (HPH) organizations.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Treasury Department recently issued a joint advisory warning of North-Korean-backed threat actors using the little known Maui ransomware in attacks against HPH facilities. The FBI said it has been involved in dampening multiple ransomware attacks in which the perpetrators used the Maui strain to hobble HPH facilities in the U.S.

Maui's Unknown Destructive Potential

One way Maui hackers differ from other attackers is there is no ransom note with instructions for victims to restore their data. The remote hackers are said to deploy the malware manually across networks to pick and choose which files to hijack. At this point, Maui’s destructive potential is not clearly known.

The federal agencies issued a warning in the bulletin:

"North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services — including electronic health records services, diagnostics services, imaging services, and intranet services. In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods. The initial access vector(s) for these incidents is unknown."

Paying Ransom Discouraged

The three U.S. federal agencies also provided indicators of compromise (IOCs) obtained by the FBI while responding to Maui ransomware attacks since May 2021, as well as mitigation recommendations. They strongly discourage paying ransoms because doing so does not guarantee victims’ files will be restored and may run sideways from Department of Treasury sanctions linked to such payments.

The FBI said it is seeking any information that can be shared regarding Maui, to include boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files.

It’s not the first time the U.S. has run into North Korean-state sponsored hackers for attacking healthcare organizations. Five years ago, the U.S. and U.K. accused the rogue state of springing the WannaCry malware to severely disrupt healthcare and other sectors worldwide.

How to Avoid a Maui Attack

The FBI, CISA, and Treasury recommend HPH sector organizations deploy these nine mitigations to avoid a Maui attack:

  1. Limit access to data by deploying public key infrastructure and digital certificates to authenticate connections with the network, Internet of Things (IoT) medical devices, and the electronic health record system, as well as to ensure data packages are not manipulated while in transit from man-in-the-middle attacks.
  2. Use standard user accounts on internal systems instead of administrative accounts, which allow for overarching administrative system privileges and do not ensure least privilege.
  3. Turn off network device management interfaces such as Telnet, SSH, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled.
  4. Secure personal identifiable information (PII)/patient health information (PHI) at collection points and encrypt the data at rest and in transit by using technologies such as Transport Layer Security (TPS). Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available if data is ever compromised.
  5. Protect stored data by masking the permanent account number (PAN) when it is displayed and rendering it unreadable when it is stored—through cryptography, for example.
  6. Secure the collection, storage, and processing practices for PII and PHI, per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures can prevent the introduction of malware on the system.
  7. Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer.
  8. Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise.
  9. Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.