North Korean state-sponsored hackers use Maui ransomware to target healthcare and public health sector

The U.S. agencies released on Wednesday a joint cybersecurity advisory warning of North Korean state-sponsored cyber hackers using Maui ransomware to target the healthcare and public health sector, since at least May 2021.

The joint CSA provides information—including tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs)—on Maui ransomware obtained from FBI incident response activities and industry analysis of a Maui sample, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) said in the advisory.

“The FBI, CISA, and Treasury urge HPH Sector organizations as well as other critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the likelihood of compromise from ransomware operations,” the advisory said. Victims of Maui ransomware should report the incident to their local FBI field office or CISA. The FBI, CISA, and Treasury highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks, it added.

The FBI has observed and responded to multiple Maui ransomware incidents at HPH sector organizations since last May, the advisory said. “North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services. In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods. The initial access vector(s) for these incidents is unknown,” it added.

The Maui ransomware is an encryption binary. According to an industry analysis of a sample of Maui provided in ‘Stairwell Threat Report: Maui Ransomware,’ the ransomware appears to be designed for manual execution by a remote actor, the advisory said. The remote actor uses a command-line interface to interact with the malware and to identify files to encrypt, it added.

The advisory disclosed that Maui uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt target files. Maui encrypts target files with AES 128-bit encryption. Each encrypted file has a unique AES key, and each file contains a custom header with the file’s original path, allowing Maui to identify previously encrypted files. The header also contains encrypted copies of the AES key. Maui also encrypts each AES key with RSA encryption, as it loads the RSA public and private keys in the same directory as itself, it added. 

Maui also encodes the RSA public key (maui.key) using XOR encryption, the advisory said. The XOR key is generated from hard drive information. During encryption, Maui creates a temporary file for each file it encrypts and uses the temporary to stage output from encryption. After encrypting files, Maui creates maui.log, which contains output from Maui execution. Actors likely exfiltrate maui.log and decrypt the file using associated decryption tools, it added.

The advisory called upon the HPH sector organizations to limit access to data by deploying public key infrastructure and digital certificates to authenticate connections with the network, Internet of Things (IoT) medical devices, and the electronic health record system, as well as to ensure data packages are not manipulated while in transit from man-in-the-middle attacks. 

Additionally, the HPH sector organizations must use standard user accounts on internal systems instead of administrative accounts, which allow for overarching administrative system privileges and do not ensure the least privilege, and turn off network devices management interfaces such as Telnet, SSH, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled. 

The HPH sector organizations must secure personally identifiable information (PII)/ patient health information (PHI) at collection points and encrypt the data at rest and in transit by using technologies such as Transport Layer Security (TPS). Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available if data is ever compromised. 

The advisory also asked the HPH sector organizations to protect stored data by masking the permanent account number (PAN) when it is displayed and rendering it unreadable when it is stored—through cryptography, for example. It is also said to secure the collection, storage, and processing practices for PII and PHI, per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), implementing HIPAA security measures can prevent the introduction of malware on the system. 

Additionally, the sector must implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer. They must also use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise, and create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI. 

The American Hospital Association (AHA) also relayed the cyber threat warning to the nation’s hospitals and health systems. 

“Health care, public health sector among known targets of aggressive, state-sponsored cyber actors; immediate action urged of hospitals and health systems,” John Riggi, AHA’s National Advisor for Cybersecurity and Risk, wrote in a LinkedIn post. “North Korean cyber threats against U.S. health care are well-documented. The U.S. government in 2017 officially attributed to the North Korean government the global ‘WannaCry’ ransomware attack, which hit multiple hospitals in the U.S., as well as the U.K’s National Health System. North Korean state-sponsored cyber actors likely work under the belief that health care organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” he added.

Because of this assumption, the FBI, CISA, and Treasury Department assess North Korean state-sponsored actors are likely to continue targeting healthcare and public health sector organizations, Riggi said. “Ransomware attacks disrupt and delay health care delivery, including that provided during emergency situations; based on this, the AHA and the FBI view such attacks as immediate threat-to-life crimes,” he added.

Last week, U.S. agencies issued a joint cybersecurity advisory providing information on the MedusaLocker ransomware, including recent activity observed in May. The hackers predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks, encrypt the victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.