North Korean state actors deploy surgical ransomware in ongoing cyberattacks on U.S. healthcare orgs
The FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and the Treasury Department on Wednesday warned about North Korean state-sponsored threat actors targeting organizations in the US healthcare and public-health sectors. The attacks are being carried out with a somewhat unusual, manually operated new ransomware tool called “Maui.”
Since May 2021, there have been multiple incidents where threat actors operating the malware have encrypted servers responsible for critical healthcare services, including diagnostic services, electronic health records servers, and imaging servers at organizations in the targeted sectors. In some instances, the Maui attacks disrupted services at the victim organizations for a prolonged period, the three agencies said in an advisory.
“The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” according to the advisory. “Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting [healthcare and public health] Sector organizations.”
Designed for Manual Operation
In a technical analysis on July 6, security firm Stairwell described Maui as ransomware that is notable for lacking features that are commonly present in other ransomware tools. Maui, for instance, does not have the usual embedded ransomware note with information for victims on how to recover their data. It also does not appear to have any built-in functionality for transmitting encryption keys to the hackers in automated fashion.
The malware instead appears designed for manual execution, where a remote attacker interacts with Maui via the command line interface and instructs it to encrypt selected files on the infected machine and exfiltrate the keys back to the attacker.
Stairwell said its researchers observed Maui encrypting files using a combination of the AES, RSA, and XOR encryption schemes. Each selected file is first encrypted using AES with a unique 16-byte key. Maui then encrypts each resulting AES key with RSA encryption, and then encrypts the RSA public key with XOR. The RSA private key is encoded using a public key embedded in the malware itself.
Silas Cutler, principal reverse engineer at Stairwell, says the design of Maui’s file-encryption workflow is fairly consistent with other modern ransomware families. What’s really different is the absence of a ransom note.
“The lack of an embedded ransom note with recovery instructions is a key missing attribute that sets it apart from other ransomware families,” Cutler says. “Ransom notes have become calling cards for some of the large ransomware groups [and are] sometimes emblazoned with their own branding.” He says Stairwell is still investigating how the threat actor is communicating with victims and exactly what demands are being made.
Security researchers say there are several reasons why the threat actor might have decided to go the manual route with Maui. Tim McGuffin, director of adversarial engineering at Lares Consulting, says manually operated malware has a better chance of evading modern endpoint protection tools and canary files compared with automated, systemwide ransomware.
To read the complete article, visit Dark Reading.