In a brand new joint cybersecurity advisory, U.S. cybersecurity and intelligence companies have warned about using Maui ransomware by North Korean government-backed hackers to focus on the healthcare sector since at the least Might 2021.
“North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers liable for healthcare providers—together with digital well being data providers, diagnostics providers, imaging providers, and intranet providers,” the authorities famous.
The alert comes courtesy of the U.S. Cybersecurity and Infrastructure Safety Company (CISA), the Federal Bureau of Investigation (FBI), and the Division of the Treasury.
Cybersecurity agency Stairwell, whose findings shaped the premise of the advisory, mentioned the lesser-known ransomware household stands out due to an absence of a number of key options generally related to ransomware-as-a-service (RaaS) teams.
This contains the absence of “embedded ransom be aware to supply restoration directions or automated technique of transmitting encryption keys to attackers,” safety researcher Silas Cutler mentioned in a technical overview of the ransomware.
As a substitute, evaluation of Maui samples means that the malware is designed for handbook execution by a distant actor through a command-line interface, utilizing it to focus on particular recordsdata on the contaminated machine for encryption.
In addition to encrypting goal recordsdata with AES 128-bit encryption with a novel key, every of those keys is, in flip, encrypted with RSA utilizing a key pair generated the primary time when Maui is executed. As a 3rd layer of safety, the RSA keys are encrypted utilizing a hard-coded RSA public key that is distinctive to every marketing campaign.
What units Maui other than different conventional ransomware choices can also be the truth that it is not provided as a service to different associates to be used in return for a share of financial income.
In some cases, the ransomware incidents are mentioned to have disrupted well being providers for prolonged intervals of time. The preliminary an infection vector used to conduct the intrusions is unknown as but.
It is value noting that the marketing campaign is based on the willingness of healthcare entities to pay ransoms to shortly get well from an assault and guarantee uninterrupted entry to crucial providers. It is the newest indication of how North Korean adversaries are adapting their techniques to illegally generate a fixed stream of income for the cash-strapped nation.
In accordance with the Sophos’ State of Ransomware in Healthcare 2022 report, 61% of healthcare organizations surveyed opted to settle in contrast with the worldwide common of 46%, with solely 2% of people who paid the ransom in 2021 getting their full information again.
That mentioned, using a operated by hand ransomware household by an APT group additionally raises the likelihood that the operation could possibly be a diversionary tactic designed to behave as a canopy for different malicious motives, as not too long ago noticed within the case of Bronze Starlight.
“Nation state-sponsored ransomware assaults have change into typical worldwide acts of aggression,” Peter Martini, co-founder of iboss, mentioned in an announcement. “Sadly, North Korea particularly has proven it is vitally keen to indiscriminately goal numerous industries, together with healthcare, to safe untraceable cryptocurrency that’s funding its nuclear weapons program.”