North Korean Hackers Using Ransomware to Target American Healthcare Organizations

The FBI, CISA and the U.S. Treasury Department said they had observed these hackers deploying Maui ransomware since at least May 2021.

ransomware warning

The FBI, CISA and the U.S. Treasury Department are warning that North Korean state-sponsored hackers targeting American healthcare and public health sector organizations with ransomware attacks.

In a joint advisory, the U.S. government agencies said they had observed these hackers deploying Maui ransomware since at least May 2021 to encrypt servers for healthcare services, including electronic health records, medical imaging and entire intranets.

“The FBI assesses North Korean state-sponsored cyber actors have deployed Maui ransomware against Healthcare and Public Health Sector organizations,” the advisory reads. “The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health. Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting [healthcare] organizations.”

According to the advisory, many of the incidents observed caused disruption to healthcare services “for prolonged periods.”

Maui was first identified by the threat-hunting startup Stairwell in early April 2022. In an analysis of the ransomware, Stairwell principal reverse engineer Silas Cutler said that Maui lacks many of the features typically seen with tooling from ransomware-as-a-service (RaaS) providers, such as an embedded ransom note or automated means of transmitting encryption keys to attackers. In that sense, Stairwell believes that Maui is likely manually deployed across victims’ networks, with remote operators targeting specific files they want to encrypt.

By now, North Korea has become infamous for using cryptocurrency-stealing operations to fund its nuclear weapons program.

“Ransomware attacks against healthcare are an interesting development, in light of the focus these actors have made on this sector since the emergence of COVID-19. It is not unusual for an actor to monetize access which may have been initially garnered as part of a cyber espionage campaign,” said John Hultquist, vice president of Mandiant Intelligence. “We have noted recently that North Korean actors have shifted focus away from healthcare targets to other traditional diplomatic and military organizations. Unfortunately, healthcare organizations are also extraordinarily vulnerable to extortion of this type because of the serious consequences of disruption,” he added.

The advisory includes indicators of compromise (IOCs) and information on tactics, techniques and procedures (TTPs) employed in these attacks to help network defenders. It also urges organizations in the healthcare industry to strengthen their defenses by limiting access to data, turning off network device management interfaces, and by using monitoring tools to observe which devices have become compromised.

“The FBI, along with our federal partners, remains vigilant in the fight against North Korea’s malicious cyber threats to our healthcare sector,” said FBI Cyber Division assistant director Bryan Vorndran. “We are committed to sharing information and mitigation tactics with our private sector partners to assist them in shoring up their defenses and protecting their systems.”

This latest warning by the U.S. government comes on the heels of recent cyberattacks targeting healthcare organizations. For instance, the University Medical Center of Southern Nevada was hit by a ransomware attack in August 2021, compromising files that contain protected health information and personally identifiable information. Another example was Eskenazi Health, which said in October that cybercriminals had access to their network for almost three months. Finally, there’s Kaiser Permanente, which last month confirmed a breach of an employee’s email account led to the theft of 70,000 patient records.

There is little you could do to protect your personal information in attacks like these as it is all up to cyber defenses (or their lack off) of healthcare organizations. You can, however, keep yourself protected by reading more about security and privacy, and by using modern tools to keep yourself safe on the Internet. And these tools would include antivirus and yes, a VPN. You know where to find the latter, right?