The Feds alerted the healthcare sector, including public health services, to the threat of another cyberattack from a malicious group backed by North Korea.
The law enforcement agencies such as the Computer and Information Security Administration (CISA), the Federal Bureau of Investigation, and the United States Department of the Treasury collectively released a public alert.
The alert is to notify both the healthcare and public health sectors of data breaches and maui ransomware attacks by North Korea's state-sponsored hackers targeting organizations across the United States.
The threat actors would attack the health institutions by deploying the ransomware and then demand payment from the victims in order to decrypt their networks.
Feds Alert Healthcare Sector
The Feds reported that the United States government has long been monitoring and detecting that the state-sponsored hackers operating in North Korea have been conducting attacks against healthcare providers since at least May 2021.
The advisory notes that the Maui ransomware caused disruption to healthcare services for prolonged periods in many of the incidents that were observed and responded to by the FBI.
This information about Maui, which includes its indicators of compromise and the techniques that bad actors use, was obtained by the agencies that issued the warning from a sample that was obtained by the FBI.
According to Engadget, the attackers prevented healthcare providers from accessing a variety of services, including electronic health records, diagnostics services, imaging services, and intranet services.
In certain instances, the attacks prevented the providers from accessing their systems and caused disruptions to the services that they offered for extended periods of time.
Maui Ransomware
The Maui ransomware is a binary encryption program that was first detected by the cybersecurity company Stairwell in early April 2022.
According to the findings of Stairwell, Maui is most likely deployed manually over the systems of its targets, with remote operators focusing on particular files that they wish to encrypt.
Since Maui is missing a significant number of the functionalities that are typically found in the tooling offered by ransomware-as-a-service (RaaS) providers.
According to CISA, a command-line interface is utilized by the remote actor in order to communicate with the malware and determine which files should be encrypted.
When it comes to encrypting [T1486] target files, Maui employs a three-pronged strategy that includes Advanced Encryption Standard (AES), RSA, and XOR.
CISA stated, "During encryption, Maui creates a temporary file for each file it encrypts using GetTempFileNameW(). Maui uses the temporary to stage output from encryption."
Additionally, "After encrypting files, Maui creates maui.log, which contains output from Maui's execution. Actors likely exfiltrate [TA0010] maui.log and decrypt the file using associated decryption tools."
Targeting the Health Sector
It is strongly discouraged by the FBI, CISA, and the Treasury to pay ransoms to threat actors.
The Feds recommend a mitigation process for victims to follow in the event that they suspect that they have been attacked.
The FBI believes that North Korean state-sponsored threat actors are responsible for the distribution of the Maui ransomware that targeted companies in the healthcare and public health sectors.
Since these businesses provide services that are essential to human life and health, the North Korean state-sponsored hackers are under the assumption that healthcare organizations are willing to pay ransoms.
With this assumption, the FBI, CISA, and Treasury have all determined that it is likely that North Korean state-sponsored actors will continue to target organizations in the healthcare and public health sector.