North Korea-Backed Hackers Target Hospitals with Ransomware, FBI Warns

North Korean state-backed hackers are at the bottom of several ransomware attacks against hospitals and other Healthcare and Public Health (HPH) sector organizations, the US government said.

A joint announcement by the FBI, the US Department of the Treasury and the Cybersecurity and Infrastructure Security Agency (CISA) discloses that the perpetrators have used a ransomware strain dubbed Maui against US hospitals.

“Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations,” reads the security advisory. “North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services.”

Maui is a ransomware strain typically controlled manually by a remote operator. Threat actors connect to compromised machines remotely and use a command-line interface to identify files to encrypt and send commands to the malware.

The ransomware uses a blend of XOR, RSA and AES encryption types to lock compromised documents on target machines, as follows:

1. Maui uses AES-128 to encrypt target files; it uses unique AES keys and custom headers for each file to facilitate the identification of previously encrypted documents
2. The ransomware encrypts each AES key with RSA
3. Maui uses XOR to encode the RSA public key

“The FBI assesses North Korean state-sponsored cyber actors have deployed Maui ransomware against Healthcare and Public Health Sector organizations,” the announcement says. “The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health.”

Aside from indicators of compromise (IOCs), tactics, techniques and procedures (TTPs), and technical descriptions of the ransomware operation, the advisory also outlines mitigation for HPH Sector organizations:

• Opting for standard user accounts instead of administrative ones on internal systems
• Disabling network management interfaces (SSH, Telnet, Winbox) on Wide Area Networks (WANs)
• Using monitoring tools to observe potential anomalies on IoT devices
• Enforcing strong internal policies regarding collection, access, monitoring and storage of Personal Identifiable Information (PII) and Protected Health Information (PHI)
• Implementing multi-layer network segmentation
• Using digital certificates and public key infrastructure to limit access to sensitive data