North Korean Hackers Using Ransomware to Attack Healthcare Organizations

The healthcare and public health sector have long been attractive targets for cybercriminals due to the value of healthcare data and the ease at which it can be monetized. Ransomware gangs have also targeted the healthcare sector, as the impact of the attacks can be far greater than attacks on other sectors. Preventing access to healthcare data can delay diagnosis and treatment and creates patient safety risks. That means there is a greater incentive for healthcare providers to pay the ransom, and to pay the ransom quickly.

Cybercriminal gangs conduct attacks, but nation-state threat actors similarly target the HPH sector and ransomware attacks can be a significant source of income. For instance, the proceeds from cyberattacks conducted by hackers under the direction of the North Korean government are greater than $2 billion, according to a 2019 report from the United Nations, and that amount has continued to grow. The money is believed to be used to further the country’s weapons of mass destruction programs.

North Korean state-sponsored hackers are known to be targeting the HPH sector in the United States and have been conducting a campaign since at least May 2021 using Maui ransomware, according to a recent joint security alert from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury.

An industry analysis of Maui ransomware indicates it is deployed manually once the threat actors have gained access to the network, but at this stage of the investigation, it is unclear how the hackers are achieving initial network access. Multiple mitigations are therefore required to improve security against multiple attack vectors. Details of recommended mitigations are provided in the security alert, and all organizations in the HPH sector have been encouraged to implement those mitigations as soon as possible to block Maui and other ransomware attacks.

In the event of a ransomware attack, the FBI encourages HPH organizations to provide detailed information about the attacks, as this will help with its investigations. Through the sharing of information, the FBI and other law enforcement agencies will be better able to prevent future attacks by identifying and tracking ransomware actors and holding them accountable under U.S. law.

The alert also draws attention to the Treasury’s Office of Foreign Assets Control (OFAC) sanctions program, which prohibits payments to certain malicious cyber actors that are considered to pose a threat to national security. While paying a ransom may be considered to lessen its impact, it is important to check that the malicious cyber actor is not on the OFAC list, as there are sanctions risks. Further paying the ransom comes with no guarantee that data recovery will be possible, and payment may see the organization targeted further.