Recent cybersecurity advisories from U.S. intelligence and cybersecurity agencies have revealed that North Korean state-sponsored hackers are utilizing Maui ransomware to specifically target the healthcare sector since at least May 2021. The advisory indicates that compromised servers responsible for essential healthcare services—including electronic health records, diagnostic imaging, and internal communication networks—are among the primary focuses of these attacks.
According to the alert issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of the Treasury, these cyber actors have encrypted critical data, severely affecting healthcare operations. Notably, security firm Stairwell, whose research contributed to the advisory, highlights the unique characteristics of Maui ransomware, which notably lacks several common features associated with ransomware-as-a-service (RaaS) models.
The absence of an embedded ransom note or automated means of transmitting encryption keys differentiates Maui from other ransomware strains. Security researcher Silas Cutler explained that the malware appears to be engineered for manual activation by cyber actors, utilizing a command-line interface to target specific files for encryption, rather than functioning as a self-managing RaaS product.
Maui employs robust encryption techniques, including AES 128-bit encryption for target files using unique keys. These keys are further secured using RSA encryption, establishing a multi-layered protection scheme that complicates decryption efforts. The malware also utilizes a hard-coded RSA public key specific to the campaign, enhancing operational security.
Unlike conventional ransomware, which is often offered for rental to affiliate groups, Maui operates independently, raising concerns regarding the persistence of these threats. Instances of the ransomware have reportedly led to prolonged disruptions in healthcare services, although the precise initial vector of infection remains undetermined.
The campaign exploits the likelihood that healthcare organizations will resort to paying ransoms to expedite recovery and maintain uninterrupted access to vital services. This tactic underscores an emerging pattern in which North Korean adversaries adapt their methods to secure a consistent flow of revenue amid the nation’s economic challenges, further complicating the landscape of international cybersecurity threats.
The “State of Ransomware in Healthcare 2022” report from Sophos reveals alarming trends, noting that 61% of healthcare entities surveyed chose to pay ransomware demands, a significant increase over the global average of 46%. However, it should be noted that only 2% of those who complied fully recovered their data, signaling the inherent risks associated with these decisions.
The employment of a manually operated ransomware model may also suggest that North Korean actors could employ these tactics as a distraction for more nefarious activities, reflecting broader trends observed in other advanced persistent threat (APT) operations. “Nation state-sponsored ransomware attacks have transformed into a prevalent form of international aggression,” commented Peter Martini, co-founder of iboss, emphasizing the indiscriminate targeting of vital industries such as healthcare to procure untraceable cryptocurrency, which may facilitate other illicit activities, including nuclear ambitions.
