CISA Warns Health Sector Of North Korean Maui Ransomware

A joint Cybersecurity Advisory has been issued by the United States Cybersecurity and Infrastructure Agency (CISA) in collaboration the the Federal Bureau of Investigation (FBI), and the Department of the Treasury to advise the health sector about the threat of Maui ransomware, a cyberattack variant which has been utilized by the North Korea state-sponsored cyber attackers. 

Since 2021, the FBI have identified and handled several incidents in the health sector involving Maui ransomware. The ransomware is used to encrypt servers that healthcare services operate such as EHR services, diagnostics services, imaging services, and intranet services. Maui ransomware has the ability to delay healthcare organization operations for a significant period of time. The FBI contend that the hackers target healthcare organizations as they believe that they are more likely to pay ransoms as organizations provide services which are crucial to human life. 

The cyberattack variant is used in encryption binary and is designed to use a combination of encryptions remotely:

  1. Maui encrypts target files with AES 128-bit encryption. Each encrypted file has a unique AES key, and each file contains a custom header with the file’s original path, allowing Maui to identify previously encrypted files. The header also contains encrypted copies of the AES key.
  2. Maui encrypts each AES key with RSA encryption and  loads the RSA public and private keys in the same directory as itself. 
  3. Maui encodes the RSA public key) using XOR encryption. The XOR key is generated from hard drive information.

The security advisory lists several mitigations healthcare organizations can implement to reduce the risk of Maui ransomware attacks. These include limiting access to data by implementing a key infrastructure and digital certificates to authenticate connections with the network, medical and IoT devices, and the EHR system, utilizing monitoring tools to observe suspicious activity on IoT devices, utilizing standard user accounts on internal systems of administrative accounts, switching off network device management interfaces, implementing strong credentials and encryption, regularly reviewing internal policies that oversee PHI, and implementing HIPAA security measures to prevent malware attacks. 

In the event a healthcare organization is victim to a ransomware attack, CISA recommends organizations to follow the organization’s Ransomware Response Checklist, to review backups, follow the HIPAA breach notification requirements and to report the incident to the FBU, CISA, or the United States Secret Service.