The US agencies CISA, FBI and Treasury Department have issued a joint warning about North Korean state-run cybergangs targeting healthcare organizations with ransomware called Maui. They provide information on how to recognize the malware – Indicators of Compromise, IoCs, called file hashes. In addition, tips should help to prevent malware infestation.
The Maui malware has been used since May 2021 to target healthcare organizations. North Korean cyber actors have used it to encrypt servers that store health records, provide diagnostic services, are responsible for imaging and offer intranet services. As a result, some businesses were paralyzed for a long time. The cybercriminals probably chose these targets because they are more willing to pay ransom – after all, human lives are sometimes at stake, the authors suspect.
According to authorities, Maui encrypts the target files with AES 128-bit encryption. Each file receives its own AES key. In addition, a file header stores information such as the original file path and encrypted copies of the AES key and can use this to identify previously encrypted files.
Each AES key is encrypted using RSA encryption. The public (maui.key) and private (maui.evd) RSA key are in the same directory as the malware (maui.exe). The RSA public key is XOR encoded again, where the XOR key is generated from disk information of \\.\PhysicalDrive0.
The authors also propose measures that IT managers in healthcare facilities can use to better protect the IT infrastructure from such ransomware attacks. For example, they should limit data access by introducing a public key infrastructure and digital certificates for authentication to the network, IoT medical devices and electronic health record system. Instead of administrative access, standard user accounts should be set up on systems.
On the Internet, administrators should either seal off services such as Telnet, SSH, Winbox and HTTP or, where external access is required, protect them with strong passwords and encryption. Patient data should be protected and encrypted, and TLS should be used for data transport.
Backups and Contingency Plans
In addition, offline backups that are physically separated from the devices should be set up and their restoration tested regularly. In addition, IT managers should also create, review and practice a cyber incident contingency plan. Many other, actually known clues as well as the file hashes (IoCs) can be found in the joint report by the FBI, CISA and the US Treasury Department.
The authors also strongly advise against paying ransom. This does not guarantee that the files will be recovered and even poses a risk of sanctions. Well-known German IT security experts take the same line and have identified ransomware payments as the root of all evil – and even call for a legal framework that comes close to a ban on ransom payments .
To home page