North Korea’s state-sponsored ransomware operators have launched a campaign targeting healthcare organizations in the United States. This is according to an advisory issued by the Federal Bureau of Investigations (FBI) and the Infrastructure Security Agency (CISA).
The Maui ransomware has been used by threat actors in North Korea since May 2021. They use ransomware to target healthcare organizations in the United States and other countries worldwide. Federal agencies are warning organizations to be on the lookout for any signs of compromise and take preventive action against such attacks.
If an organization realizes that it has been attacked by ransomware, the security agencies advise against paying any requested money. They said that paying a ransom isn’t a guarantee that the affected files will be recovered.
According to a report issued by Stairwell, a cybersecurity firm, Maui has existed since April 2021. It says that the ransomware has distinct features that make it different from other regular ransomware mainly used. Silas Cutler the principal reverse engineer at Stairwell asserts that Maui stands out due to the absence of several characteristics commonly seen in Ransomware-as-a-service (RaaS) provider tooling.
These include the absence of a ransom note to offer recovery instructions or an automatic method of transmitting encryption keys to attackers. Security professionals say that this makes it even more difficult to discover that one has been attacked by ransomware. “Cyber criminals usually want to be paid as quickly as possible. They want to ensure the victim is desperate enough to pay the ransom without delay. This is what Maui ransomware aims at”, observed McQuiggan James, a security awareness advocate.
Another prominent feature that sets Maui apart from other ransomware is that it is designed to be executed manually by the attacker. “This gives them an opportunity to decide which files to encrypt when executing an attack,” wrote Cutler. Manual execution is a growing trend among advanced malware operators. This is because the technique allows cybercriminals to only attack targeted and the most important assets on a network.
John Bambenek, a principal threat hunter at Netenrich, says that Maui is one of the most dangerous ransomware that has ever existed. “For ransomware to be effective, threat actors have to manually pinpoint the important assets as well as weak points to cripple a victim. Automated tools can’t pick out all the unique aspects of a company to enable a proper ransomware execution”, said Bambenek.
The healthcare sector has been on the receiving end since the discovery of Maui ransomware. The attacks started during the COVID-19 pandemic and have continued since then. Experts believe that there are a number of reasons why the healthcare industry has been a target for threat actors. One reason is that health is a financially lucrative sector that still uses outdated IT systems. The lack of sophisticated security systems makes it easy for attackers to penetrate and demand ransom.
Citing a report from Stairwell, security agencies offered detailed information on how an attack by Maui ransomware gets installed as an encryption binary known as “maui.xe” and encrypts targeted files in an organization. Through a command-line interface, a threat actor is able to interact with the ransomware to pick out the files to encrypt with the help of Advanced Encryption Standard (AES), XOR, and RSA encryption. During the encryption process, the ransomware creates a temporary folder for every file it encrypts using GetTempFileNameW. According to researchers, it then uses this file to generate output from encryption.