North Korean-Sponsored Ransomware Attacks Targeting Healthcare Organizations

A warning has been issued by a group of leading cybersecurity organizations in the United States and the Republic of Korea about a growing threat of ransomware attacks targeting healthcare organizations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Republic of Korea’s Defense Security Agency and National Intelligence Service have come together to alert the public of these dangerous state-sponsored attacks carried out by North Korean (DPRK) actors. These attacks are aimed at obtaining ransom payments to support the nation’s priorities and objectives, with the U.S. healthcare sector identified as one of the main targets.

The cyber criminals that are associated with North Korea are using a variety of techniques to carry out ransomware attacks against healthcare organizations, according to a joint cybersecurity advisory. The attackers are using traditional methods, such as exploiting common vulnerabilities and exposures (CVEs), using virtual private networks (VPNs) and virtual private servers (VPSs), and employing various ransomware tools. In addition, the attackers are obscuring their identity by operating under third-party foreign affiliate identities and using third-party foreign intermediaries to receive ransom payments. The attackers are demanding ransoms in cryptocurrency, with bitcoin being the preferred method, and may threaten to expose a company’s proprietary data if the ransom is not paid.

The authoring agencies urge organizations, including HPH Sector organizations, to take a multi-pronged approach to mitigate the risk of ransomware incidents. They recommend limiting access to data by authenticating and encrypting connections with public key infrastructure certificates in virtual private networks (VPNs) and transport layer security (TLS) connections, as well as implementing the principle of least privilege by using standard user accounts on internal systems rather than administrative accounts. To further protect data, they recommend turning off weak or unnecessary management interfaces, masking the permanent account number (PAN) when displayed, and storing PII/PHI securely by utilizing technologies such as encryption. Additionally, they recommend implementing and enforcing multi-layer network segmentation and using monitoring tools to observe for any suspicious behaviour from IoT devices. Organizations should also maintain isolated backups of their data, regularly test backups and restoration, and create and exercise a basic cyber incident response plan. Updating operating systems, software and firmware as soon as they are released, as well as ensuring that Remote Desktop Protocol (RDP) is secure and monitored closely when used, will also help to mitigate risks. Furthermore, users should be trained on how to respond to phishing emails and to use strong passwords, while MFA should be required for as many services as possible. Finally, organizations should consider adding email banners to messages coming from outside the organization and joining CISA’s AIS program to receive real-time exchange of cyber threat indicators and defensive measures.

In the event of a ransomware incident, organizations have been advised to follow their own ransomware response checklist, scan backups with an antivirus program, and report the incident to appropriate authorities – such as the FBI, CISA, or the U.S. Secret Service in the United States, or NIS, KISA, and KNPA in South Korea – and apply incident response best practices outlined in the joint Cybersecurity Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.