Feds Notify Danger of Maui Ransomware Attacks Executed By North Korean State-Sponsored Hackers

The Federal Bureau of Investigation (FBI), the Department of the Treasury, and Cybersecurity and Infrastructure Security Agency (CISA) published a joint security warning to the healthcare and public health field with regard to the danger of Maui ransomware attacks.

As of May 2021, North Korean state-sponsored cyber attackers have been targeting companies in the U.S. healthcare and public health industry and were encrypting servers used for electronic medical record systems and imaging, diagnostic, and intranet solutions. These attacks have contributed to data encryption that has disturbed the services offered to patients and, in a few instances, has led to disruption to services for extended periods.

As per the alert, first access is obtained to healthcare systems and the ransomware is started manually. The cyber actors employ a command-line interface to regulate the ransomware payload and kick off attacks. Healthcare providers are an appealing target for ransomware attacks since they are seriously dependent on information for giving their services. Attacks could lead to big interruption, loss of income, and can jeopardize patient protection. Consequently, healthcare companies are seen as very likely to make ransom payments and make a deal fast. That is why, CISA, the FBI, and the Treasury feel that the healthcare and public health field will always be targeted.

The FBI acquired a sample of Maui ransomware and gave technical facts according to its examination. The methods utilized by North Korean attackers to obtain preliminary access to healthcare sites aren’t grasped at this level, however, information was shared regarding how attacks are performed, coupled with indicators of compromise (IoCs) and a listing of mitigations that healthcare and public health segment providers are urged to apply without delay.

The FBI, CISA, and the Treasury dissuade payment of ransom demands. Payment will never ensure file retrieval. More ransom demands could be asked after payment is sent, and there isn’t any assurance of file decryption after paying the ransom. The notification additionally pulls attention to the threat of sanctions by the Office of Foreign Assets Control (OFAC) of the U.S. Treasury when payment is given.

The notification highlights a September 2021 alert released by the Treasury that encourages all entities, such as those in the medical and public health market to use and strengthen their cybersecurity tactics. When the advised OFAC actions are put in place, OFAC will be more probable to clear sanctions violations relating to ransomware attacks having a nonpublic enforcement action.

The FBI states it is aware that whenever a healthcare company is up against an incapability to perform, all possibilities must be looked at, which include paying the ransom to secure shareholders, staff members, and patients. In case of an attack, irrespective of whether the ransom is paid, the FBI ought to be informed, and data provided concerning the attack, such as boundary records featuring conversation to and from foreign IP addresses, the decryptor file, benign examples of encrypted files, and /or bitcoin wallet details.

A very long checklist of mitigations was given to help medical care and public health industry companies boost their protection versus these and other cyberattacks. The mitigations, IoCs, and technical investigation of Maui ransomware could be found on this link.