US and South Korea accuse North Korea of using hospital ransoms to fund more hacking

North Korean state hackers are using a variety of ransomware strains to attack healthcare organizations and other targets globally, with the goal of pulling in money to fund other operations, the U.S. and South Korea said Thursday. 

The two allies said “an unspecified amount of revenue from these cryptocurrency operations supports [North Korean] national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments.”

Specific targets for those cyber operations include U.S. defense information networks and military contractors, according to joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the NSA and several South Korean defense and intelligence agencies.

North Korean hackers have used both internally developed ransomware like Maui and H0lyGh0st, the agencies said, as well as other extortion malware attained by other means — such as Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom.

The advisory provides an update on one released by the same law enforcement agencies in July 2022 – in which North Korean hackers were accused of using the Maui ransomware in attacks on healthcare organizations. 

It marks the first time agencies have tied a specific actor to the use of Deadbolt and ech0raix, two ransomware strains used to target customers of data-storage hardware vendor QNAP

The agencies also said North Korean hackers have attempted to portray themselves as members of other ransomware groups like the now-shuttered REvil.

They have generated multiple web domains, personas and accounts to obscure their actions, according to the agencies, which noted that the hackers are able to “procure infrastructure, IP addresses, and domains with cryptocurrency generated through illicit cybercrime, such as ransomware and cryptocurrency theft.”

They also use VPNs to make it appear attacks are coming from more innocuous locations outside of North Korea. 

The hackers use a range of exploits for common vulnerabilities like Log4Shell and others. The agencies named three specific vulnerabilities – CVE-2021-44228, CVE-2021-20038 and CVE-2022-24990 – as ones typically used by North Korean actors. 

In addition to ransomware, the hackers use other customized malware to exfiltrate data, perform reconnaissance operations and steal files. 

“DPRK cyber actors have been observed setting ransoms in bitcoin. Actors are known to communicate with victims via Proton Mail email accounts,” the advisory said. “For private companies in the healthcare sector, actors may threaten to expose a company’s proprietary data to competitors if ransoms are not paid.”

The advisory highlights a startling trend across the world as nation-states have begun deploying ransomware for a variety of reasons and purposes. 

The governments of countries like Costa Rica, Albania, Bosnia and Herzegovina and Montenegro have each dealt with ransomware attacks that were allegedly launched by rivals or adversaries like Russia and Iran. 

Several other parliaments around the world have faced off against ransomware gangs and hackers in recent years

Allan Liska, a ransomware expert at cybersecurity company Recorded Future, said more than 50 national governments or national government agencies have been hit by ransomware in 2022. The Record is an editorially independent unit of Recorded Future.

“We’ve seen what appear to be government-backed ransomware attacks from Russia, China, Iran and North Korea. Now, North Korea has always used ransomware attacks, dating back to 2017, but they seem to have really stepped up their attacks this year, making them even more dangerous as an adversary,” he said. 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.