CISA: North Korean ‘Maui’ ransomware targeting healthcare organizations

A ransomware strain called Maui is being used by North Korean state-sponsored hackers to attack healthcare organizations across the U.S., according to the FBI, Treasury Department and the Cybersecurity and Infrastructure Security Agency (CISA).

In an alert released on Wednesday, the agencies said the ransomware had been used to disrupt services at multiple hospitals and clinics since at least May 2021, with some attacks causing “prolonged” outages. 

CISA Executive Assistant Director for Cybersecurity Eric Goldstein called the ransomware a “significant risk to organizations of all sizes.” Rahul Prabhakar, Treasury Deputy Assistant Secretary for Cybersecurity and Critical Infrastructure Protection, added that the advisory provides guidance that organizations of all sizes across the country can use to help defend themselves.

The agencies said they believe North Korean state-sponsored actors will continue targeting healthcare organizations because they are likely to pay ransoms to “avoid disruption of the critical life and health services they provide.”

New to https://t.co/q9gezIogk8: @CISAgov joined partners @FBI & @USTreasury to provide TTPs and IOCs for #Maui ransomware, which North Korean state-sponsored cyber actors have used to target Public Health Sector orgs since May 2021. Check it out @ https://t.co/xs8UWmDksp. pic.twitter.com/tFrKeZgKpL

— Jen Easterly (@CISAJen) July 6, 2022

Much of the data provided in the alert comes from FBI incident response activities and industry analysis of a Maui sample.

North Korean threat actors allegedly use the ransomware to encrypt servers responsible for electronic health records services, diagnostic services, imaging services, and intranet services, according to the alert.

The initial access vector for the actors is still unknown but the agencies provided a list of actions healthcare organizations should take to protect themselves generally from this specific brand of ransomware and others. 

Researchers with cybersecurity company Stairwell released a corresponding report about Maui, doing a deeper dive into how the ransomware typically works. 

Silas Cutler, principal reverse engineer for Stairwell, noted that Maui stood out from other ransomware because its victims are not given a ransom note with recovery instructions. 

“Instead, we believe that Maui is manually operated, in which operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artifacts,” Cutler said.

Recorded Future ransomware expert Allan Liska said the Maui ransomware has been known to incident responders since it attacks against hospitals started appearing in the fall. 

There was no extortion site connected to the ransomware and the hackers behind it never left a note, Liska said, noting that he was aware of about a dozen victims that were all in the healthcare sector. 

“It is a relatively small, but effective group in terms of number of victims. Because there is no RaaS site and no ransom note it is really hard to track infections,” he said. 

“It is definitely a smaller group, which is why it was almost on no one's radar (including mine). But, because their targets primarily (or entirely) consisted of healthcare providers it is likely that they had an outsized impact in their attacks (in terms of the number of people affected).”

Ransomware attacks on healthcare organizations have continued throughout 2021 and 2022, including recent attacks on a California nonprofit in March by the Hive ransomware group. 

FBI Director Christopher Wray said last month that an Iran-based group attacked the Boston Children’s Hospital with ransomware last June. 

Healthcare organizations also continue to face a barrage of cyberattacks involving the theft of patient and employee data. 

In June, Kaiser Foundation Health Plan of Washington announced that it was sending out breach notification letters to 70,000 state residents due to a cyberattack that took place April 5. 

The sensitive information of two million people was accessed during a March cyberattack on Shields Health Care Group, a Massachusetts-based healthcare organization that provides services to dozens of hospitals and other medical facilities. The company said the hackers gained access to databases that contained full names, Social Security numbers and more.