Joint Advisory: Ransomware Used by North Korean State-Sponsored Actors
On July 6, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) issued a joint cybersecurity advisory providing information on Maui ransomware. Maui ransomware has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.
The advisory explains that the FBI has observed and responded to various Maui ransomware incidents at HPH Sector organizations and that North Korean state-sponsored cyber actors used this ransomware in these incidents to encrypt services that are responsible for healthcare services, including electronic health records, diagnostic services, imaging services, and intranet services. The advisory adds that in some cases the incidents disrupted services provided by the HPH Sector organizations for extended periods and the initial access vector(s) for these incidents is not known at this time.
The advisory states that “Maui ransomware (maui.exe) is an encryption binary. According to industry analysis of a sample of Maui (SHA256: 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e) provided in Stairwell Threat Report: Maui Ransomware—the ransomware appears to be designed for manual execution [TA0002] by a remote actor. The remote actor uses command-line interface [T1059.008] to interact with the malware and to identify files to encrypt.”
Moreover, “Maui uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt [T1486] target files:
- Maui encrypts target files with AES 128-bit encryption. Each encrypted file has a unique AES key, and each file contains a custom header with the file’s original path, allowing Maui to identify previously encrypted files. The header also contains encrypted copies of the AES key.
- Maui encrypts each AES key with RSA encryption.
- Maui loads the RSA public (maui.key) and private (maui.evd) keys in the same directory as itself.
- Maui encodes the RSA public key (maui.key) using XOR encryption. The XOR key is generated from hard drive information (\\.\PhysicalDrive0).
During encryption, Maui creates a temporary file for each file it encrypts using GetTempFileNameW(). Maui uses the temporary to stage output from encryption. After encrypting files, Maui creates maui.log, which contains output from Maui execution. Actors likely exfiltrate [TA0010] maui.log and decrypt the file using associated decryption tools.”
The FBI believes that the North Korean state-sponsored cyber actors target healthcare organizations because they presume healthcare organizations are willing to pay ransoms due to providing services critical to human life. Due to this belief, the FBI, CISA, and Treasury say that North Korean state-sponsored actors will likely continue targeting healthcare organizations.
The advisory also has steps organizations can take: “The FBI, CISA, and Treasury urge HPH Sector organizations to:
- Limit access to data by deploying public key infrastructure and digital certificates to authenticate connections with the network, Internet of Things (IoT) medical devices, and the electronic health record system, as well as to ensure data packages are not manipulated while in transit from man-in-the-middle attacks.
- Use standard user accounts on internal systems instead of administrative accounts, which allow for overarching administrative system privileges and do not ensure least privilege.
- Turn off network device management interfaces such as Telnet, SSH, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled.
- Secure personal identifiable information (PII)/patient health information (PHI) at collection points and encrypt the data at rest and in transit by using technologies such as Transport Layer Security (TPS). Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available if data is ever compromised.
- Protect stored data by masking the permanent account number (PAN) when it is displayed and rendering it unreadable when it is stored—through cryptography, for example.
- Secure the collection, storage, and processing practices for PII and PHI, per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures can prevent the introduction of malware on the system.
- Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer.
- Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise.
- Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.”
To prepare for ransomware, the advisory makes suggestions including:
- Maintaining offline backups of data and regularly testing backups and restoration processes
- Ensuring all backup data is encrypted and immutable
- Creating, maintaining, and exercising a cyber incident response plan
- Ensuring incident response and communication plans include response and notification procedures for data breaches and ensure the notification procedures abide by applicable state laws
The advisory also suggests mitigation and response tactics for ransomware, including installing updates on operating systems, software, and firmware, monitoring remote desk protocol, and limiting access to resources over internal networks. If ransomware does occur, the advisory suggests following the organization’s Ransomware Response Checklist, scanning backups, following notification requirements, and reporting the incident to the FBI.
The advisory concludes by saying that “The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files. As stated above, the FBI discourages paying ransoms. Payment does not guarantee files will be recovered and may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, the FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees, and customers. Regardless of whether you or your organization have decided to pay the ransom, the FBI, CISA, and Treasury urge you to promptly report ransomware incidents to the FBI at a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the USSS at a USSS Field Office. Doing so provides the U.S. Government with critical information needed to prevent future attacks by identifying and tracking ransomware actors and holding them accountable under U.S. law.”