North Korean state-sponsored hackers are targeting organizations in the U.S. healthcare and public health sector (HPH) and are using Maui ransomware for extortion, according to a recent joint cybersecurity advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury.
Ransomware attacks on healthcare providers can prevent access to electronic medical records stopping healthcare providers from accessing patient data. The attacks can also disrupt diagnostic and imaging services and disable intranets. Attacks involving Maui ransomware have caused major disruption to victims, with that disruption sometimes continuing for long periods of time.
According to the security advisory, North Korean hackers have been conducting attacks on the HPH sector in the United States since at least May 2021. The vectors used to gain access to the servers of HPH organizations are not known, but a sample of the ransomware has been obtained and analyzed by the FBI. The FBI reports that the ransomware is most likely deployed manually using a command-line interface once initial access to servers has been gained. The ransomware uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt the targeted files, and after file encryption, a ransom demand is issued.
The FBI, CISA, and the Treasury believe the HPH sector is being targeted because the threat actors assume there is a higher probability of the ransom being paid than organizations in other sectors due to the disruption caused and the patient safety issues attacks create. The Feds believe attacks on the sector are likely to continue.
The FBI said it understands that payment of the ransom may have to be considered to lessen the harm to shareholders, employees, and patients, but payment of the ransom is strongly discouraged. Organizations that have paid ransoms in the past have found that they have still been unable to recover their files. In some cases, after a victim has paid the ransom, a further ransom demand is issued, and paying ransoms only encourages more attacks. The alert also highlights the risk of sanctions by the Treasury’s Office of Foreign Assets Control (OFAC). Financial penalties can be imposed on organizations that violate OFAC sanctions and make payments to malicious cyber actors on its sanctions list, as payment threatens U.S. national security interests. Regardless of whether or not the ransom is paid, victims should still report the incident to their local FBI field office or CISA and should share as much information as possible about the attack.
The advisory details several mitigations that organizations in the HPH sector can implement to prepare for ransomware attacks, reduce the likelihood of an attack succeeding, and limit the harm caused if ransomware is deployed. IoCs have also been shared to help network defenders identify and block attacks in progress, as detailed in the table below
| Indicator Type | Value |
| Filename | maui.exe |
| maui.log | |
| maui.key | |
| maui.evd | |
| aui.exe | |
| MD5 Hash | 4118d9adce7350c3eedeb056a3335346 |
| 9b0e7c460a80f740d455a7521f0eada1 | |
| fda3a19afa85912f6dc8452675245d6b | |
| 2d02f5499d35a8dffb4c8bc0b7fec5c2 | |
| c50b839f2fc3ce5a385b9ae1c05def3a | |
| a452a5f693036320b580d28ee55ae2a3 | |
| a6e1efd70a077be032f052bb75544358 | |
| 802e7d6e80d7a60e17f9ffbd62fcbbeb | |
| SHA256 Hash | 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e |
| 45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78 | |
| 56925a1f7d853d814f80e98a1c4890b0a6a84c83a8eded34c585c98b2df6ab19 | |
| 830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570 | |
| 458d258005f39d72ce47c111a7d17e8c52fe5fc7dd98575771640d9009385456 | |
| 99b0056b7cc2e305d4ccb0ac0a8a270d3fceb21ef6fc2eb13521a930cea8bd9f | |
| 3b9fe1713f638f85f20ea56fd09d20a96cd6d288732b04b073248b56cdaef878 | |
| 87bdb1de1dd6b0b75879d8b8aef80b562ec4fad365d7abbc629bcfc1d386afa6 |