Critical Infrastructure Partners
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Department of the Treasury (Treasury) released a joint Cybersecurity Advisory (CSA) with technical details on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since May 2021.
North Korean state-sponsored cyber actors used Maui ransomware in multiple incidents to encrypt servers responsible for healthcare services, to include electronic health records, diagnostics, imaging, and intranet services, that in some cases caused services to be disrupted. According to industry analysis, the Maui ransomware appears to be designed such that a remote actor manually uses command-line interface to interact with the malware and to identify files to encrypt. Maui uses a combination of legitimate encryption algorithms, including Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt target files. After encrypting files, Maui creates a file with output from its execution; actors likely exfiltrate the file and decrypts it using associated decryption tools.
FBI, CISA, and Treasury assess that North Korean state-sponsored actors are likely to continue targeting HPH Sector organizations, because of the assumption that these organizations are willing to pay ransoms to avoid disruption of the critical life and health services they provide. Organizations are reminded that in September 2021 Treasury issued an advisory highlighting the sanctions risk associated with ransomware payments and providing steps that can be taken by companies to mitigate risk being a victim of ransomware.
All organizations are encouraged to review the CSA for complete details on this threat and recommended mitigations, however, the FBI, CISA and Treasury provide several specific mitigations that HPH executives and leaders should implement."