Getty Images/iStockphoto

FBI: North Korean Cyber Actors Using Maui Ransomware to Target Healthcare

CISA and the FBI warned the healthcare industry of North Korean state-sponsored cyber actors who have been using Maui ransomware to target the sector.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of the Treasury observed North Korean state-sponsored cyber actors using Maui ransomware to target the healthcare sector since at least May of last year, the agencies warned in a joint advisory.

“Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services,” the advisory stated.

“In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods. The initial access vector(s) for these incidents is unknown.”

Based on industry analysis of a sample of Maui ransomware, the variant uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt its target files.

“The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” the advisory continued.

“Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting HPH Sector organizations.”

To mitigate risk, the FBI, CISA, and Treasury urged the healthcare sector to limit data access by deploying public key infrastructure and digital certificates to authenticate EHR systems, IoT medical devices, and other connections within the network.

Organizations should also secure all protected health information (PHI) at collection points and encrypt data both at rest and in transit using tools such as Transport Layer Security (TPS). The advisory emphasized that organizations should only store patient data on internal systems that are protected by firewalls and ensure that reliable backups are always available.

In addition, organizations should implement HIPAA-required security measures and review their policies on storing, collecting, and accessing PHI. The FBI simultaneously issued a request for any information on bitcoin wallets, IP addresses, and decryptor files associated with Maui ransomware.

“Ransomware attacks against healthcare are an interesting development, in light of the focus these actors have made on this sector since the emergence of COVID-19,” John Hultquist, vice president at Mandiant Intelligence, told HealthITSecurity.

“It is not unusual for an actor to monetize access which may have been initially garnered as part of a cyber espionage campaign. We have noted recently that North Korean actors have shifted focus away from healthcare targets to other traditional diplomatic and military organizations.”

Even so, Hultquist noted, healthcare organizations are extremely vulnerable to this type of extortion due to the risks associated with a successful cyber intrusion, such as financial and reputational losses and impacts to patient care.

Next Steps

Dig Deeper on Cybersecurity strategies