Healthcare and public health organizations beware: North Korea-linked threat actors are leveraging Maui ransomware against your industry
The FBI, CISA and the U.S. Treasury Department issued a joint advisory yesterday warning of North-Korean-linked threat actors leveraging Maui ransomware in attacks against healthcare and public health (HPH) organizations.
According to CISA, Maui ransomware has been used by North Korean state-sponsored threat actors since at least May 2021 in campaigns featuring attacks on HPH entities. This information is based on FBI observations recorded during multiple incident response operations in which the law enforcement agency played an investigative role.
“North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services," reads the joint advisory. "In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods. The initial access vector(s) for these incidents is unknown.”
According to a June report from threat intelligence firm Stairwell, Maui is a human-operated strain of ransomware, designed for manual execution by attackers. When executed at the command line without any arguments, Maui prints usage information, displaying its supported command-line parameters to the attacker with instructions on how to leverage these functions. The only required argument is a folder path, which Maui will parse and then encrypt any files designated by the ransomware’s operator.
Apparently, embedded usage instructions (and the probable use of a builder component by Maui’s developer(s)) are common for ransomware projects in which there is an operational separation between the malware’s developers and its users. The fact that there are no known public offerings for Maui ransomware on any underground markets seems to indicate that the malware is privately developed and operated.
The use of ransomware by state-backed cyber actors aligned with North Korea is not a new phenomenon. The hermit nation’s APT groups are notoriously opportunistic; known to carry out financially-motivated attacks which aid in propping up the country’s weapons programs and its dismal economy, while simultaneously conducting cyber-espionage campaigns to steal intellectual property which can be leveraged by North Korea to advance its defensive, agricultural and medical technologies.
Hospitals and other healthcare organizations have historically been attractive targets to North Korean cyber actors, as such entities are often subject to a driving need to provide continuous care by keeping life-saving systems online and protecting sensitive personal health information (PHI); in the eyes of ransomware actors, these characteristics equate to an increased willingness to submit to ransom demands.
As a result of this often-accurate correlation, the FBI, CISA and the U.S. Treasury assess North Korean state-sponsored actors are likely to continue targeting organizations within the HPH Sector.
While Maui ransomware may be a new tool in the arsenals of North Korea’s state-sponsored hacking groups, its use supports the same goals that we’ve come to expect from this repressive regime, writes our Cyber Threat Intelligence team:
“As the federal agencies referenced in this post state, this is a methodology that has been leveraged to great effect by North Korea for years, and well, 'if it ain’t broke, don’t fix it' seems to be Pyongyang’s official cyber-motto. And if it’s not, it should be.”
Luckily, there are multiple IOCs available from the various sources used to create this story, which can be viewed in CISA's joint advisory and in that June technical report from Stairwell.
This LinkedIn article was originally written by Tanium's Cyber Threat Intelligence (CTI) team and repurposed for this platform by our social media manager.