US Says North Korean-Backed Hackers Targeting Health Care Sector With Ransomware

US Says North Korean-Backed Hackers Targeting Health Care Sector With Ransomware
A hooded man holds a laptop computer as cyber code is projected onto him in this illustration picture taken on May 13, 2017. Kacper Pempel/Reuters
Aldgra Fredly
Updated:
0:00

North Korean state-sponsored cyber actors have been targeting hospitals and health care facilities in the United States with ransomware since May 2021, according to U.S. intelligence agencies.

The FBI, Treasury Department, and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on July 6 about “Maui” ransomware.

The agencies suspect that hackers deployed Maui ransomware to encrypt servers responsible for health care services—including health records, medical imaging, and intranet systems—and demand ransom from the victims.

“The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” the advisory reads.

“Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting [health care and public health] sector organizations.”

The advisory states that in some incidents reported to the agencies, Maui ransomware disrupted health care services for “prolonged periods,” and the initial access vector for these cases is unknown.

The agencies warned that paying a ransom does not ensure the recovery of files. Rather, it emboldens adversaries to target more organizations, encourages other criminal actors to distribute ransomware, and funds illicit activities.

According to the advisory, Maui ransomware is operated manually by a remote actor using a “command-line interface” to interact with the malware and to identify files to encrypt.

Cybersecurity company Stairwell said in its report about the ransomware that “there are many aspects to Maui ransomware that are unknown, including usage context.”
The U.S. government has blamed North Korea for a number of high-profile cyberattacks in recent years, including the multimillion-dollar cryptocurrency heist of Axie Infinity, a game in which players can earn cryptocurrency tokens.
The Office of the Director of National Intelligence said in its 2021 Annual Threat Assessment report (pdf) that “North Korea’s cyber program poses a growing espionage, theft, and attack threat.”

“North Korea has conducted cyber theft against financial institutions and cryptocurrency exchanges worldwide, potentially stealing hundreds of millions of dollars, probably to fund government priorities, such as its nuclear and missile programs,” the report said.