Healthcare organisations are threatened with a new campaign by North Korean state-backed threat groups using the Maui ransomware to encrypt servers. Based on the joint advisory of the FBI, CISA, and the US Treasury Department, this campaign was first detected in May 2021, which mostly impacted the Healthcare and Public Health (HPH) in the US.
The federal agencies explained that the state-backed actors use the Maui ransomware to encrypt the servers of healthcare services, such as their electronic health records, diagnostics, imaging, and intranet services. They also added that it is still unclear which initial access vectors were used in the attacks.
From a separate report by a security researcher, they stated that the ransomware variant is manually deployed by its operators across the compromised networks and specifically encrypts targeted files. The ransomware variant also poses a unique feature of not leaving a ransom note on the compromised systems, indicating that the victims would not be provided with a recovery instruction.
While the feds were investigating the Maui ransomware attacks last year, they identified some indicators of compromise (IOCs) posed by the variant.
Since the issue mostly faces the HPH sector, the federal agencies have urged them to implement stronger security measures, and mitigation plans to prepare, prevent, and respond to potential attacks. Moreover, the institutions’ security teams could train people in cybersecurity knowledge, including recognising and reporting phishing attempts, activating MFA, and updating antivirus software.
As also seen in the joint advisory, the authorities said that these North Korean state-backed groups could be targeting the healthcare institutions since they assume that the firms are willing to pay ransom demands because of the importance and criticality of their sector to human life and health.
The assumption had led the law enforcement groups to assess that the threats posed by the North Korean threat actors are expected to come in the future and would continue to target the healthcare sector.
Nevertheless, they stressed on the advisory that it is highly discouraged for the victims to pay the ransom demands of threat groups. Rather, it is more advisable to seek the help of security agencies to investigate the attacks and determine how to put them under control without risking anyone’s safety and data security.