The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and Department of the Treasury (DoT) released an advisory on July 6 that attributes ransomware attacks launched against healthcare and public health (HPH) organizations to North Korean state-sponsored organizations.
The North Korean-sponsored attacks launched with the “Maui” ransomware tech can allow an external operator to find important files to encrypt, and then to demand ransom payments in exchange for decryption of the files.
“The FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations,” the advisory states. “North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services.”
The three government agencies reiterated that victims of the attacks should not meet the ransom demands, saying that paying ransom won’t guarantee that files or records will be properly decrypted. Ransom payments may also pose risks of sanctions, they said.
The new advisory says that Maui-based attacks have been seen since at least May 2021.
The three agencies offered a variety of mitigation recommendations to healthcare organizations, including:
- Limit access to data by deploying public key infrastructure and digital certificates to authenticate connections with the network, Internet of Things (IoT) medical devices, and the electronic health record system, as well as to ensure data packages are not manipulated while in transit from man-in-the-middle attacks;
- Use standard user accounts on internal systems instead of?administrative?accounts, which allow for overarching administrative system privileges and do not ensure least privilege;
- Turn off network device management interfaces such as Telnet, SSH, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled; and
- Secure personal identifiable information (PII)/patient health information (PHI) at collection points and encrypt the data at rest and in transit by using technologies such as Transport Layer Security (TPS). Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available if data is ever compromised.
“Nation state-sponsored ransomware attacks have become typical international acts of aggression, particularly among North Korean, Chinese and Russian hacking groups,” said Paul Martini, co-founder of iboss “Unfortunately, North Korea specifically has shown it is very willing to indiscriminately target various industries, including healthcare, to secure untraceable cryptocurrency that is funding its nuclear weapons program. This regime is actively working to take advantage of hospitals that have poor cybersecurity in place to build its nuclear arsenal. Public and private organizations need to step up and prevent breaches that lead to the types of payouts that are putting the world in danger.”