US govt warns of Maui ransomware attacks against healthcare orgs

The FBI, CISA, and the U.S. Treasury Department issued today a joint advisory warning of North-Korean-backed threat actors using Maui ransomware in attacks against Healthcare and Public Health (HPH) organizations.

Starting in May 2021, the FBI has responded to and detected multiple Maui ransomware attacks impacting HPH Sector orgs across the U.S.

"North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services," the federal agencies revealed.

"In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods. The initial access vector(s) for these incidents is unknown."

According to a threat report authored by Stairwell principal reverse engineer Silas Cutler, Maui ransomware is manually deployed across compromised victims' networks, with the remote operators targeting specific files they want to encrypt.

While Stairwell collected the first Maui sample in early April 2022, all Maui ransomware samples share the same compilation timestamp of April 15, 2021.

Maui also stands out compared to other ransomware strains by not dropping a ransom note on encrypted systems to provide victims with data recovery instructions.

DPRK hackers will likely continue targeting HPH sector

The three U.S. federal agencies also provide indicators of compromise (IOCs) obtained by the FBI while responding to Maui ransomware attacks since May 2021.

They also urge HPH Sector organizations to implement mitigation and apply a set of measures shared in the joint advisory to prepare for, prevent, and respond to ransomware incidents.

At the very least, network defenders are advised to train users to spot and report phishing attempts, enable and enforce multi-factor authentication across their orgs, and keep antivirus and antimalware software up to date on all hosts. 

"The FBI assesses North Korean state-sponsored cyber actors have deployed Maui ransomware against Healthcare and Public Health Sector organizations," the joint advisory adds.

"The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health.

"Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting HPH Sector organizations."

The federal agencies also "highly discourages" victims from paying ransom demands from threat actors behind Maui ransomware attacks and remind HPH organizations of an advisory issued by the Department of Treasury regarding sanction risks linked to ransomware payments.