US: North Korean Hackers Targeting Healthcare Sector With Maui Ransomware

US government agencies this week issued a joint advisory to warn of North Korean threat actors using the Maui ransomware in attacks targeting the healthcare and public health sector.

Since May 2021, North Korean government-backed threat actors have been using Maui ransomware to disrupt healthcare services such as diagnostics, electronic health records, imaging, and intranet services, reads the joint advisory from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury.

Maui ransomware utilizes a combination of AES, RSA, and XOR for the encryption process: files are encrypted with AES using a unique key that is then encrypted using a RSA key-pair generated when Maui first runs, and the RSA public key is then encrypted using a hard-coded RSA public key.

“During encryption, Maui creates a temporary file for each file it encrypts using GetTempFileNameW(). Maui uses the temporary to stage output from encryption. After encrypting files, Maui creates maui.log, which contains output from Maui execution. Actors likely exfiltrate maui.log and decrypt the file using associated decryption tools,” the advisory reads.

According to security researchers at threat hunting firm Stairwell, Maui is likely operated manually, as it lacks some of the key features typically used by ransomware-as-a-service (RaaS) families. This allows the attackers to select which files to encrypt, as well as to exfiltrate the resulting runtime artifacts.

The agencies say the attacks coming from theNorth Korean state-sponsored threat actors behind the Maui ransomware attacks are likely to continue.

“The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health. Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting HPH Sector organizations,” the joint advisory reads.

The three US agencies urge organizations in the healthcare sector to mitigate the threat posed by Maui and other ransomware families out there by applying the principle of least privilege, disabling unused network protocols, securing and encrypting personal and health information, implementing multi-layer network segmentation, and continuously monitoring their environments for anomalous behavior.

They should also maintain offline, encrypted backups of all data, should create and maintain a basic cyber incident response plan, keep all of their applications and systems updated at all times, implement multi-factor authentication, require administrative privileges for installing software, and install and maintain an antimalware solution.

Just last week, the North Korea-linked Lazarus hacking group was suspected to be behind a $100 million crypto hack of Harmony’s Horizon Bridge, based on data and research from blockchain analytics firm Elliptic.

Related: Beating Ransomware With Advanced Backup and Data Defense Technologies

Related: The Psychology of Ransomware Response

Related: Hackers Continue Aiding North Korea Generate Funds via Crypto Attacks

Related: US Details Chinese Attacks Against Telecoms Providers

Related: US Agencies Warn Organizations of Log4Shell Attacks Against VMware Products