Fraud Management & Cybercrime , Healthcare , Industry Specific

Feds Warn Healthcare Sector of 'Maui' Ransomware Threats

CISA, FBI, Treasury Department Issue Joint Alert About North Korean-Backed Attacks
Feds Warn Healthcare Sector of 'Maui' Ransomware Threats

Federal authorities are putting the healthcare and public health sectors on alert for North Korean state-sponsored "Maui" ransomware attacks.

A federal advisory says Pyongyang is targeting multiple healthcare and public health entities with ransomware and urges affected organizations to take actions to reduce the likelihood of compromise.

See Also: OnDemand | Overcoming the Limitations of Addressing Insider Threat in Banking: Real Solutions for Real Security Challenges

Attackers use Maui ransomware to encrypt servers responsible for healthcare services - including electronic health records, diagnostics procedures, medical imaging, and medical center intranet services, the advisory says.

Maui ransomware gets its name from the name of the executable file used to maliciously encrypt victims' files. North Korea is a well-known ransomware enthusiast, using it to harvest cash spent on developing weapons of mass destruction. A 2019 United Nations panel estimated North Korean cybercrime netted the hereditary communist regime $2 billion, an amount that has only since grown.

The healthcare sector is an appealing target for ransomware attackers looking for a quick payout, the federal government warns in the advisory, authored by the FBI, Cybersecurity and Infrastructure Security Agency and the Department of the Treasury.

North Korean state-sponsored cybercriminals "likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health," the advisory says.

Industry analysis of Maui cited by the advisory shows the executable file appears to be designed for manual execution by a remote actor. The remote actor uses a command-line interface to interact with the malware and to identify files to encrypt.

Maui ransomware indicators of compromise. (Source: CISA)

Risk of Sanctions

Federal authorities highly discourage paying ransoms. Not only is payment no guarantee that affected files and records will be recovered, but paying the extortionists also may be a violation of sanctions imposed by Treasury's Office of Foreign Assets Control.

Brett Callow, a threat analyst at security firm Emsisoft, says healthcare entities need to be extremely cautious and seek advice prior to deciding to pay a ransom to the Maui operators.

Some healthcare sector entities feel extra pressure to pay extortionists in ransomware incidents in hopes that affected IT systems and data disrupting patient services can be recovered more quickly.

"As the advisory points out, there's a real risk that any payment could violate OFAC sanctions. While it always makes sense to involve law enforcement in incidents, it's especially important in these cases."

Healthcare Sector Threats

Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center tells Information Security Media Group that CISA contacted the H-ISAC in mid-June for input on the draft Maui ransomware advisory.

"Health-ISAC worked with our Threat Intelligence Committee - a working group of cyberthreat intelligence analysts from member companies - to ascertain any impact to the health sector. We were unable to identify any members impacted by the Maui ransomware," he says.

Nonetheless, it's clear from the government's advisory that law enforcement agencies have identified victims in the health sector, he says.

The information sharing group encourages members to follow the advisory's recommendations and to share any incidents or information related to the Maui ransomware to help better protect the global healthcare community, he adds.

Maui ransomware attacks are old-school, says Erick Galinkin, principal artificial intelligence researcher at security firm Rapid7. They “are closer to ‘good old fashioned ransomware’ attacks - encrypted files and a ransom demand in exchange for the key.”

In contrast to more sophisticated ransomware attacks that include hack-and-leak tactics or ransomware with multiple extortion operations, Maui “looks much more manual,” he says. Attackers manually specify the files to encrypt and pull back the encryption keys at execution time.

Maui also doesn't make it a point to boast of its successes, unlike ransomware-as-a-service groups with splashy online presences. ”The Maui ransomware hasn't gotten nearly the level of press that the double extortion and leak groups receive due in large part to the fact that they do not publicize their victims,” Galinkin says.

Victims are understandably not eager to publicize information about their having been victims, making it difficult to know how prevalent the threat is. “That said, there is good reason to believe that the ransomware group has been active for more than a year and has compromised a decent number of victims.”

Jeremy Kennelly, senior manager of cybercrime analysis at security firm Mandiant tells ISMG the company has long tracked financially motivated campaigns being carried out by North Korean cyber operators on behalf of the state, and it is not just healthcare sector entities that are at risk.

"These activities have included a range of schemes including direct bank heists, targeting cryptocurrency, and deploying ransomware, demonstrating the flexibility and persistence of these actors to raise money for the Kim regime,” he says.

Taking Action

The federal alert offers a long list of recommended mitigations to help healthcare and public health sector entities prevent falling victim to Maui, as well as other ransomware threats.

They include:

  • Limiting access to data by deploying public key infrastructure and digital certificates to authenticate connections with the network, including medical devices and EHRs;
  • Using standard, least privileged user accounts on internal systems instead of administrative accounts;
  • Turning off network device management interfaces such as Telnet, SSH, Winbox and HTTP for wide area networks and securing with strong passwords and encryption when enabled;
  • Securing personally identifiable information and protected health information at collection points and encrypting the data at rest and in transit by using technologies such as Transport Layer Security;
  • Only storing patient data on internal systems that are protected by firewalls and ensuring extensive backups are available;
  • Using monitoring tools to observe whether internet of things devices are behaving erratically due to a compromise;
  • Installing software updates, including for operating systems and firmware, as soon as they are released;
  • Securing and closely monitoring risky services, such as Remote Desktop Protocol;
  • Implementing multifactor authentication on as many services as possible, especially for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.

The Maui ransomware advisory is the latest warning from federal authorities concerning ransomware groups and other malware being used to target the healthcare sector.

In June, the Department of Health and Human Services' Health Sector Cyber Coordination Center, or HC3, issued an advisory about the "return" of Emotet malware as an infrastructure-as-a-service offering used by cybercriminal groups as a vehicle to drop ransomware, exfiltrate data and make related attacks on healthcare sector entities (see: Hackers Claim Drug Data Theft as Reports Warn Health Sector).

July 6, 2022 20:42 UTC: This story has been updated to include comments from Erick Galinkin and Jeremy Kennelly.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.