The U.S. government is warning healthcare and public health care organizations to be on alert for attacks by North Korean state-sponsored hackers using Maui ransomware to target the sector.

The alert, issued by the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Agency and the Department of the Treasury, states that multiple ransomware attacks using Maui ransomware have been detected targeting the healthcare sector since May 2021.

An attack using Maui runs a traditional path for ransomware by encrypting files on servers. Previous attacks have included servers hosting electronic health records, diagnostics services, imaging services and intranet services. In some cases, the Maui ransomware attacks have disrupted the services provided by healthcare providers for a prolonged period. The initial attack vector for these incidents is not known.

The alert does not specify whether data is stolen in the attacks or not. Maui does differ from traditional ransomware in one way: Instead of encrypting all files, the ransomware targets specific files in what may be a process of manual selection.

The FBI, CISA and Treasury are urging healthcare providers to take steps to mitigate the risk of being targeted by Maui. These include limiting access to data by deploying public key infrastructure and digital certificates to authenticate connections, “internet of things” medical devices and electronic health records.

Healthcare providers should also turn off device management interfaces, secure personally identifiable information, protect stored data by masking the permanent account number and implement multilayer network segmentation, among other recommendations.

“This Maui campaign is interesting in that a ransomware campaign is being selective,” Aaron Turner, chief technology officer for SaaS Protect at AI cybersecurity company Vectra AI Inc., told SiliconANGLE. “However, if North Korea is really involved, then it is conceivable that the ransomware activities are only an afterthought for when attackers have exfiltrated the selected data that they want before initiating the encryption of files to block access.”

Turner added that this use of operator-driven selective encryption is most likely an indicator that the Maui campaign is not just a ransomware activity. “Most likely it’s a combination of intellectual property theft and industrial espionage combined with opportunistic monetization activities through ransomware,” he said.

James McQuiggan, security awareness advocate at security awareness training company KnowBe4 Inc., said Maui represents a different style of ransomware because it selects which files to target and leaves behind no instructions to make payment.

“Cybercriminals want to get paid quickly and effectively and with little information for the victim, the attack is increasingly malicious in nature,” McQuiggan explained. “Healthcare is always targeted due to their multimillion-dollar operating budgets and U.S. guidelines that make it difficult to quickly update systems and thus makes it a prime target for cybercriminals.”

Photo: Roman Harak/Flickr