North Korean state-backed hackers are at the bottom of several ransomware attacks against hospitals and other Healthcare and Public Health (HPH) sector organizations, the US government said.
A joint announcement by the FBI, the US Department of the Treasury and the Cybersecurity and Infrastructure Security Agency (CISA) discloses that the perpetrators have used a ransomware strain dubbed Maui against US hospitals.
“Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations,” reads the security advisory. “North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services.”
Maui is a ransomware strain typically controlled manually by a remote operator. Threat actors connect to compromised machines remotely and use a command-line interface to identify files to encrypt and send commands to the malware.
The ransomware uses a blend of XOR, RSA and AES encryption types to lock compromised documents on target machines, as follows:
“The FBI assesses North Korean state-sponsored cyber actors have deployed Maui ransomware against Healthcare and Public Health Sector organizations,” the announcement says. “The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health.”
Aside from indicators of compromise (IOCs), tactics, techniques and procedures (TTPs), and technical descriptions of the ransomware operation, the advisory also outlines mitigation for HPH Sector organizations:
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsDecember 24, 2024
December 19, 2024
November 14, 2024