North Korean state-sponsored cyber actors have been targeting hospitals and health care facilities in the United States with ransomware since May 2021, according to U.S. intelligence agencies.
The agencies suspect that hackers deployed Maui ransomware to encrypt servers responsible for health care services—including health records, medical imaging, and intranet systems—and demand ransom from the victims.
“The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” the advisory reads.
“Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting [health care and public health] sector organizations.”
The advisory states that in some incidents reported to the agencies, Maui ransomware disrupted health care services for “prolonged periods,” and the initial access vector for these cases is unknown.
The agencies warned that paying a ransom does not ensure the recovery of files. Rather, it emboldens adversaries to target more organizations, encourages other criminal actors to distribute ransomware, and funds illicit activities.
According to the advisory, Maui ransomware is operated manually by a remote actor using a “command-line interface” to interact with the malware and to identify files to encrypt.
“North Korea has conducted cyber theft against financial institutions and cryptocurrency exchanges worldwide, potentially stealing hundreds of millions of dollars, probably to fund government priorities, such as its nuclear and missile programs,” the report said.
