Cybercriminal groups linked to the rogue state have been using Maui ransomware to attack healthcare and public health organizations in the US, the authorities say.
The FBI, Cybersecurity Agency (CISA), and US Treasury issued a joint statement saying they had picked up on the cyber campaign after analyzing techniques, tactics and procedures and indicators of compromise that led Bureau investigators back to North Korea.
The ransomware attacks have been ongoing since at least May 2021, and targeted electronic health records and diagnostic and imaging services. In some cases, services provided by victim organizations were “disrupted for prolonged periods,” the agencies added.
“The FBI, CISA, and Treasury highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks,” added CISA.
Maui ransomware (maui.exe) is designed for remote manual operation by a threat actor using “command-line interface [T1059.008] to interact with the malware and to identify files to encrypt,” it said. “Each encrypted file has a unique key, and contains a custom header with the file’s original path, allowing Maui to identify previously encrypted files.”
The authorities said the “initial access vector(s)” for the cyberattacks remained unknown, but have urged healthcare sector enterprises to take various security measures to prevent their being attacked, and to report any breaches or ransom demands immediately to the FBI or CISA.
Commenting on the cyber-campaign, Avishai Avivi of cyberattack simulation company SafeBreach said: “We certainly agree with the agencies’ recommendations to avoid paying the ransom. There is a real risk that the malicious actors will not provide the decryption key, and if they exfiltrated any of the data, there is no guarantee that they won't share it with the dark web.”
Rather than pay up, organizations should spend money in advance on data backups that include checks at least monthly to ensure they are viable to mitigate malware attacks by ransom groups, he said.
Avivi added: “Healthcare organizations should also take all precautions to segment their networks and isolate environments to prevent the lateral spread of ransomware. These basic cyber-hygiene steps are a much better route for organizations preparing for a ransomware attack. We still see organizations fail to take the basic steps mentioned above.”
More from Cybernews:
Subscribe to our newsletter