North Korea-linked APTs use Maui Ransomware to target the Healthcare industry

US authorities have issued a joint advisory warning of North Korea-linked APTs using Maui ransomware in attacks against the Healthcare sector.

The FBI, CISA, and the U.S. Treasury Department issued a joint advisory that warn of North-Korea-linked threat actors using Maui ransomware in attacks aimed at organizations in the Healthcare sector.

“The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) are releasing this joint Cybersecurity Advisory (CSA) to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.” reads the advisory published by US authorties.

The attacks against Healthcare and Public Health (HPH) Sector organizations started in May 2021 and government experts observed multiple cases that involved the use of the Maui ransomware.

The report provides information about tactics, techniques, and procedures (TTPs) of the threat actors using the Maui ransomware along with indicators of compromise (IOCs) that were obtained by government experts during incident response activities and industry analysis of a Maui sample.

North Korean nation-state actors used Maui ransomware to encrypt servers providing healthcare services, including electronic health records services, diagnostics services, imaging services, and intranet services.

The report confirmed that In some cases, the attacks disrupted the services provided by the targeted HPH Sector organizations for prolonged periods.

The joint report refers to an industry analysis of a sample of Maui provided in Stairwell Threat Report: Maui Ransomware. According to the analysis, the malware appears to be human-operated ransomware.

This ransomware uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt the files on the infected systems.

The FBI states that North Korea-linked threat actors are targeting healthcare organizations because they are critical infrastructure and the likelihood that they will pay ransoms is respected to be higher. Government experts believe that the attacks against healthcare organizations are likely to continue in the next years.

The joint report includes mitigations for ransomware attacks with a focus on the healthcare industry.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]