The Cybersecurity and Infrastructure Security Agency (CISA) has released a new advisory suggesting North Korean state-sponsored cyber actors are using the Maui ransomware to target Healthcare and Public Health (HPH) Sector organisations in the US.
The document, written by the CISA, the Federal Bureau of Investigation (FBI) and the Department of the Treasury, suggests that actors have been engaging in these campaigns since May 2021.
The advisory reads, “North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services – including electronic health records services, diagnostics services, imaging services and intranet services.”
“In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods.”
CISA said that the ransomware appears to be designed for manual execution by a remote actor. It uses a combination of Advanced Encryption Standard (AES), RSA and XOR encryption to encrypt target files.
David Mahdi, Chief Strategy Officer at Sectigo said, “when we look at what ransomware does, it leverages a user’s (or entity when dealing with non-humans or machines) access within an organization to encrypt and steal sensitive files.”
“The authentication given to a user defines the level of damage the hacker will do. Therefore, a zero-trust, identity-first approach is critical. To prevent ransomware, you can’t just lock down data, you need a clear method of verifying all identities within an organization, whether human or machine and what parts of it they are allowed to access.”
CISA wrote that while initial access vectors for Maui-related incidents are currently unknown, HPH organisations can take various steps to mitigate damage. This includes installing updates for operating systems, software and firmware as soon as they are released and securing and monitoring remote desktop protocol (RDP), among other things.
CISA also recommend, among other things, the use of multi-factor authentication (MFA) for as many services as possible, auditing user accounts with administrative or elevated privileges and installing and updating antivirus software on all hosts.
“How can one stop the ransomware attacks in their tracks?” Mahdi asked.
“The answer is combining identity-first principles with least-privilege data access security, all while leveraging a variety of cybersecurity best practices and technologies […] Focusing on identity and access privileges drastically mitigates the damage that ransomware attacks can have on the healthcare industry in the long run.”