North Korean Maui ransomware actively targeting U.S. healthcare organisations

According to the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury, the North Korean state-sponsored ransomware operators have been running a campaign actively targeting U.S. healthcare organizations since at least May 2021.

The ransomware stood out due to a lack of certain vital features widely associated with ransomware-as-a-service (Raas) groups. Furthermore, the authorities have pointed out that North Korea used Maui ransomware to encrypt servers responsible for imagining, intranet, electronic health records, and diagnostics services. In some cases, the Maui ransomware has been found to have disrupted the services provided by U.S. healthcare organizations for prolonged periods.

It is believed that state-sponsored cybercriminals are likely to continue targeting U.S. health organizations. In fact, cybercriminals assume that U.S. organizations may be willing to pay high ransoms due to the critical services they provide to health and human life. Hackers behind Maui ransomware made at least $731 million last year, according to the cybersecurity company Chainalysis.

To minimize and mitigate the potential damage, HPH Sector organizations are urged to find and implement various practices, such as:

Limit access to data using digital certificates
Minimize the use of the administrative account
Turn off network device management interfaces.

Overview of the Maui Ransomware

Analysis of Maui samples has suggested that the malware was designed for manual execution via a command-line interface. Besides encrypting target-specific files with AES 128-bit encryption with a unique key, each of these keys has also been encrypted with RSA with a key pair generated the first time Maui is executed. Moreover, the RSA keys have been encrypted using hard-coded RSA public keys (unique for every campaign).

Interestingly, what makes Maui stand from the crowd is that it is not provided as a service to other affiliates for use in turn for a share of financial profits. However, the campaign depends on the willingness of U.S. healthcare entities to pay serious money so they can immediately recover from a cyber attack and ensure uninterrupted access to critical services.

The Sophos’ State of Ransomware in Healthcare 2022 showed that about 61% of U.S. healthcare entities surveyed have chosen to settle, compared with the 46% global average. However, only 2% of those who paid the ransom last year received their complete data back. It’s worth noting how North Korean adversaries have adapted new illegal tactics to generate a constant revenue stream for the cash-strapped country.

Unfortunately, such nation-state-sponsored ransomware attacks are likely to become typical international acts of aggression, with North Korea showing high interest in targeting various industries, such as healthcare, to fund its nuclear weapons program.

A report by Zscaler shows that attacks on the healthcare sector have significantly increased. Double extortion ransomware attacks have increased by a staggering 650% over 2021. With approximately 90% of web applications being critically exposed and highly susceptible to vulnerabilities, U.S. healthcare organizations present a larger attack surface than E.U. organizations.

How to Practice Cybersecurity?

Truth be told, any company can fall victim to a cyber attack. Most reports of cyber crimes come from educational and healthcare institutions, banks, government organizations, law firms, or nonprofits.

Cybersecurity isn’t just about one firewall issue on a single computer but about getting a better perspective on what’s happening in the IT world. Practicing cybersecurity starts with security teams considering their mindset about how they should handle threats. They won’t just isolate the cyber attack, but they’ll spend time searching for a full-blown attack. Companies will basically zoom out for a bigger perspective, detecting and stopping adversaries once they make their way into an organization.

Cyber Security Best Practices

While it may be challenging to stay protected from cyberattacks, it’s not impossible. Here’s what you should do:

Ensure your software is up-to-date to protect yourself from new or potential security vulnerabilities;
Use a VPN for any operating system to ensure a more secure and privatized network. A virtual private network will encrypt your connection and protect your data and confidential information, even from your ISP;
Disable your Bluetooth when you do not need it, as devices can be hacked via Bluetooth;
Enable 2-factor authentication;
Ensure to double-check a website for HTTPS;
Back up important files;
Avoid using public networks;
Invest as much as possible in security upgrades;
Install an SSL certificate on your website and enable an HTTPS;
Do not store important information in non-secure places;
Change your password regularly or put more effort into creating them;
Use antivirus;
Do not open suspicious emails;
Stay informed about cyber threats;
Extend your cybersecurity practice to your entire company;
Update your applications and plugins regularly.

Bottom Line

Cybersecurity is an ever-changing and developing field that requires keeping up to speed and learning new skills. As attacks have increased significantly, implementing modern cyber security is a crucial step for all organizations and companies looking to protect them from cyber threats. Ensure to keep cybersecurity top of mind at all times, so you can easily protect yourself, your business, your employees, and your website from the constant threat of cybercriminals.