North Korean Maui Ransomware Actively Targets US Healthcare Organizations


In a new joint cybersecurity advisory, US cybersecurity and intelligence agencies have warned against the use of Maui ransomware by North Korean government-backed hackers to target healthcare since at least May 2021.

“North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services, including electronic health records, diagnostic services, imaging services and intranet services,” authorities said. noted

The alarm comes courtesy of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of the Treasury.

Cybersecurity firm Stairwell, whose findings formed the basis of the advice, said the lesser-known ransomware family is notable for lacking some key features commonly associated with ransomware-as-a-service (RaaS) groups.

This includes the absence of “embedded ransom note to provide recovery instructions or automated means to send encryption keys to attackers,” security researcher Silas Cutler said in a technical overview of the ransomware.

Instead, analysis of Maui samples suggests that the malware was designed for manual execution by a third-party actor via a command-line interface, using it to target specific files on the infected machine for encryption.

In addition to encrypting target files with AES 128-bit encryption with a unique key, each of these keys is in turn encrypted with RSA using a key pair generated the first time Maui is run. As a third layer of security, the RSA keys are encrypted using a hard-coded RSA public key that is unique to each campaign.

Also, what sets Maui apart from other traditional ransomware offerings is the fact that it is not offered as a service to other partners for use in exchange for a share of the monetary gain.

In some cases, the ransomware incidents would have disrupted health services for extended periods of time. The initial infection vector used to carry out the intrusions is not yet known.

It is worth noting that the campaign is based on the willingness of healthcare facilities to pay a ransom to quickly recover from an attack and to ensure uninterrupted access to critical services. It is the latest indication of how North Korean adversaries are adapting their tactics to illegally generate a steady stream of income for the poor country.

According to the Sophos’ State of ransomware in healthcare 2022 According to the report, 61% of healthcare organizations surveyed chose to settle compared to the global average of 46%, with only 2% of those who paid the ransom by 2021 getting their full data back.

That said, the use of a manually operated ransomware family by an APT group also raises the possibility that the operation could be a diversion tactic designed to cover up other malicious motives, as has recently been observed in the case from Bronze Starlight.

“State-sponsored ransomware attacks have become quintessential international forms of aggression,” iboss co-founder Peter Martini said in a statement. “Unfortunately, North Korea has specifically shown that it is very willing to haphazardly target various industries, including healthcare, to secure untraceable cryptocurrency funding its nuclear weapons program.”