Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

US: North Korean Hackers Targeting Healthcare Sector With Maui Ransomware

US government agencies this week issued a joint advisory to warn of North Korean threat actors using the Maui ransomware in attacks targeting the healthcare and public health sector.

US government agencies this week issued a joint advisory to warn of North Korean threat actors using the Maui ransomware in attacks targeting the healthcare and public health sector.

Since May 2021, North Korean government-backed threat actors have been using Maui ransomware to disrupt healthcare services such as diagnostics, electronic health records, imaging, and intranet services, reads the joint advisory from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury.

Maui ransomware utilizes a combination of AES, RSA, and XOR for the encryption process: files are encrypted with AES using a unique key that is then encrypted using a RSA key-pair generated when Maui first runs, and the RSA public key is then encrypted using a hard-coded RSA public key.

“During encryption, Maui creates a temporary file for each file it encrypts using GetTempFileNameW(). Maui uses the temporary to stage output from encryption. After encrypting files, Maui creates maui.log, which contains output from Maui execution. Actors likely exfiltrate maui.log and decrypt the file using associated decryption tools,” the advisory reads.

According to security researchers at threat hunting firm Stairwell, Maui is likely operated manually, as it lacks some of the key features typically used by ransomware-as-a-service (RaaS) families. This allows the attackers to select which files to encrypt, as well as to exfiltrate the resulting runtime artifacts.

The agencies say the attacks coming from theNorth Korean state-sponsored threat actors behind the Maui ransomware attacks are likely to continue.

“The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health. Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting HPH Sector organizations,” the joint advisory reads.

The three US agencies urge organizations in the healthcare sector to mitigate the threat posed by Maui and other ransomware families out there by applying the principle of least privilege, disabling unused network protocols, securing and encrypting personal and health information, implementing multi-layer network segmentation, and continuously monitoring their environments for anomalous behavior.

Advertisement. Scroll to continue reading.

They should also maintain offline, encrypted backups of all data, should create and maintain a basic cyber incident response plan, keep all of their applications and systems updated at all times, implement multi-factor authentication, require administrative privileges for installing software, and install and maintain an antimalware solution.

Just last week, the North Korea-linked Lazarus hacking group was suspected to be behind a $100 million crypto hack of Harmony’s Horizon Bridge, based on data and research from blockchain analytics firm Elliptic.

Related: Beating Ransomware With Advanced Backup and Data Defense Technologies

Related: The Psychology of Ransomware Response

Related: Hackers Continue Aiding North Korea Generate Funds via Crypto Attacks

Related: US Details Chinese Attacks Against Telecoms Providers

Related: US Agencies Warn Organizations of Log4Shell Attacks Against VMware Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

Former Wiz executive Trish Cagliostro has joined Orchid Security as Chief Revenue Officer.

Transcend has named former UnitedHealth Group CISO Aimee Cardwell as CISO in Residence.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.