The Federal Bureau of Investigation (FBI), the Department of the Treasury, and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint security advisory to the healthcare and public health industry about the risk of Maui ransomware attacks.
Starting May 2021, North Korean state-sponsored cybercriminals have been attacking providers in the U.S. healthcare and public health field and were encrypting servers used for electronic medical record systems and imaging, intranet, and diagnostic services. These ransomware attacks have led to data encryption which has interrupted the services given to patients and, in certain cases, has caused disruption to services for a long time.
Based on the warning, preliminary access is acquired to healthcare systems and the ransomware is implemented manually. The attackers utilize a command-line interface to manage the ransomware payload and start attacks. Healthcare companies are a desirable target for ransomware threat actors because they are greatly reliant on data for providing their services. Attacks may bring about serious interruption, loss of earnings, and can endanger patient security. Therefore, healthcare providers are seen as very likely to pay ransoms and settle payments immediately. Because of this, CISA, the Treasury, and the FBI think that the healthcare and public health industry will still be targeted.
The FBI got a sample of Maui ransomware and provided technical information as per its evaluation. The methods utilized by North Korean hackers to acquire first access to healthcare sites are not comprehended at this phase, yet details have been shared concerning how attacks are executed, together with indicators of compromise (IoCs) and a list of mitigations that healthcare and public health industry companies are encouraged to put into action immediately.
The FBI, the Treasury, and CISA discourage ransom demand payments. Payment doesn’t guarantee file restoration. Further ransom demands might be issued after making payment, and there’s no guarantee of file decryption after ransom payment. The advice furthermore gets attention to the danger of sanctions by the Office of Foreign Assets Control (OFAC) of the U.S. Treasury in case of making payment.
The advisory highlights a September 2021 advisory issued by the Treasury that urges all entities, which include those in the medical and public health industry to undertake and enhance their cybersecurity strategies. When the suggested OFAC measures are applied, OFAC will be more probable to obvious sanctions violations concerning ransomware attacks with a non-public enforcement response.
The FBI mentions it knows that if a healthcare provider is confronted with an inability to function, all alternatives ought to be examined, such as paying the ransom to safeguard shareholders, workers, and patients. With an attack, whether or not the payment is made, the FBI must be notified, and details were given regarding the attack, which includes boundary logs exhibiting verbal exchanges to and from foreign IP addresses, the decryptor file, bitcoin wallet data, and/or benign examples of encrypted files.
A lengthy listing of mitigations was presented to help medical care and public health sector providers enhance their defenses against these and other ransomware attacks. The IoCs, mitigations, and technical evaluation of Maui ransomware can be read on this link.