Several federal agencies are warning healthcare organizations that they are under threat of attacks from North Korean state-sponsored actors employing a unique ransomware that targets files with surgical precision, according to U.S. federal authorities.
Threat actors from North Korea have been using Maui ransomware since at least May 2021 to target organizations in the healthcare and public health sector, according to a joint advisory issued Wednesday by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury (Treasury).
Organizations should be on the lookout for indicators of compromise and take mitigations against such attacks, both of which are included in the federal advisory.
Moreover, if organizations do find themselves the victim of attack, the agencies recommend that they refrain from paying any requested ransom, “as doing so does not guarantee files and records will be recovered and may pose sanctions risks,” they wrote in the advisory.
Maui–which has been active since at least April 2021, according to a report on the ransomware by cybersecurity firm Stairwell– has some unique characteristics that set it apart from other ransomware-as-a-service (RaaS) threats currently in play.
“Maui stood out to us because of a lack of several key features we commonly see with tooling from RaaS providers,” Silas Cutler, principal reverse engineer at Stairwell, wrote in the report.
These include the lack of a ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers, he wrote.
The former characteristic adds an especially sinister quality to Maui attacks, observed one security professional.
“Cyber criminals want to get paid quickly and effectively, and with little information for the victim the attack is increasingly malicious in nature,” observed James McQuiggan, security awareness advocate at security firm KnowBe4, in an e-mail to Threatpost.
Another characteristic of Maui that diverges from other ransomware is that it appears to be designed for manual execution by a threat actor, allowing its operators to “specify which files to encrypt when executing it and then exfiltrate the resulting runtime artifacts,” Cutler wrote.
This manual execution is a trend that’s increasing among advanced malware operators, as it allows attackers to target only the most important assets on a network, noted one security professional.
“For truly organizational crippling ransomware attacks, threat actors need to manually identify the important assets and the weak points to truly take down a victim,” observed John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS firm, in an email to Threatpost. “Automated tools simply cannot identify all the unique aspects of each organization to enable a complete takedown.”
Singling out specific files to encrypt also gives attackers more control over an attack while also making it slightly less taxing for a victim to clean up after, noted Tim McGuffin, director of adversarial Eegineering at information security consulting firm LARES Consulting.
“By targeting specific files, the attackers get to choose what is sensitive and what to exfiltrate in a much more tactical fashion when compared to a ‘spray-and-pray’ ransomware,” he said. “This can show ‘good faith’ from the ransomware group by allowing targeting and recovery of just sensitive files and not having to rebuild the entire server if [for example] the operating system files are encrypted as well.”
Healthcare Under Fire
The healthcare industry has been the target of increased attacks, particularly over the last two and a half years during the COVID-19 pandemic. Indeed, there are a number of reasons the sector continues to be an attractive target for threat actors, experts said.
One is because it’s a financially lucrative industry that also tends to have outdated IT systems without sophisticated security. This makes healthcare organizations low-hanging fruit for cybercriminals, noted one security professional.
“Healthcare is always targeted due to their multi-million dollar operating budget and U.S. Federal guidelines that make it difficult to quickly update systems,” KnowBe4’s McQuiggan observed.
Moreover, attacks on healthcare agencies can put people’s health and even their lives at risk, which might make organizations in the sector more likely to pay ransoms to criminals straightaway, experts observed.
“The need to restore operations as quickly as possible can drive healthcare organizations to more readily and swiftly pay any extortion demands stemming from ransomware,” noted Chris Clements, vice president of solutions architecture at cybersecurity company Cerberus Sentinel, in an email to Threatpost.
Because cybercriminals know this, the FBI, CISA and Treasury said the sector can continue to expect attacks from North Korean state-sponsored actors.
Healthcare information also is highly valuable to threat actors due to its sensitive and private nature, making easy to resell on cybercriminal marketplaces as well as useful to construct “highly tailored secondary social engineering attack campaigns,” Clements observed.
Sequence of Attack
Citing the Stairwell report, federal agencies provided a breakdown of how an attack by Maui ransomware—installed as an encryption binary called “maui.exe”–encrypts specific files on an organization’s system.
Using a command-line interface, threat actors interact with the ransomware to identify which files to encrypt, using a combination of Advanced Encryption Standard (AES), RSA and XOR encryption.
First Maui encrypts target files with AES 128-bit encryption, assigning each file a unique AES key. A custom header contained in each file that includes the file’s original path allows Maui to identify previously encrypted files. The header also contains encrypted copies of the AES key, researchers said.
Maui encrypts each AES key with RSA encryption and loads the RSA public (maui.key) and private (maui.evd) keys in the same directory as itself. It then encodes the RSA public key (maui.key) using XOR encryption with an XOR key that’s generated from hard drive information.
During encryption, Maui creates a temporary file for each file it encrypts using GetTempFileNameW(), and uses this file to stage output from encryption, researchers said. After encrypting files, Maui creates maui.log, which contains output from Maui execution and is likely to be exfiltrated by threat actors and decrypted using associated decryption tools.
Register Now for this LIVE EVENT on MONDAY JULY 11: Join Threatpost and Intel Security’s Tom Garrison in a live conversation about innovation enabling stakeholders to stay ahead of a dynamic threat landscape and what Intel Security learned from their latest study in partnership with Ponemon Institue. Event attendees are encouraged to preview the report and ask questions during the live discussion. Learn more and register here.