"North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services," the authorities noted. These servers included those responsible for electronic health records services, diagnostics services, imaging services, and intranet services.
The Cybersecurity and Infrastructure Security Agency (CISA) of the United States, along with the Federal Bureau of Investigation (FBI), and the Department of the Treasury have issued a warning regarding the incident.
According to the cybersecurity firm Stairwell, the less well-known ransomware family stands out due to the absence of several key features that are typically associated with ransomware-as-a-service (RaaS) groups. These features are commonly found in ransomware families. The findings of the firm Stairwell formed the basis for the advisory.
According to a technical overview of the ransomware provided by security researcher Silas Cutler, this includes the absence of a "embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers."
An examination of samples of the Maui ransomware reveals that it is likely designed for manual execution by a remote actor through a command-line interface. This remote actor would then use the malware to encrypt particular files located on the machine that was compromised.
In addition to encrypting target files with AES 128-bit encryption using a special key, each of these keys is, in turn, encrypted with RSA using a key pair that is generated the very first time that Maui is executed. This is done so that the target files can still be decrypted. The RSA keys are encrypted with the help of a hard-coded RSA public key that is specific to each campaign. This provides an additional layer of security.
What also sets Maui apart from other traditional ransomware offerings is the fact that it is not offered as a service to other affiliates for use in exchange for a share of monetary profits. This is another way in which Maui differentiates itself from other traditional ransomware offerings.
It has been reported that ransomware attacks have, on occasion, caused disruptions to health services that have lasted for extended periods of time. As of right now, the initial infection vector that was utilized to carry out the intrusions is unknown.
It is important to point out that the success of the campaign is dependent on healthcare organizations being willing to pay ransoms in order to rapidly recover from an attack and maintain uninterrupted access to essential services. It is the most recent indication of how North Korean adversaries are adapting their strategies in order to illegally generate a constant stream of revenue for the nation, which is struggling to keep up with its financial obligations.
According to the report "The State of Ransomware in Healthcare 2022" by Sophos, 61 percent of healthcare organizations that were surveyed decided to settle, which is higher than the global average of 46 percent. However, only 2 percent of those who paid the ransom in 2021 were successful in regaining access to all of their data.
In spite of this, the use of a manually operated ransomware family by an advanced persistent threat (APT) group raises the possibility that the operation could be a diversionary tactic designed to act as a cover for other malicious motives. This was most recently seen in the case of Bronze Starlight.
Peter Martini, co-founder of iboss, was quoted as saying in a statement that "nation state-sponsored ransomware attacks have become typical international acts of aggression." "Unfortunately, North Korea has shown that it is very willing to target various industries without discrimination, including the healthcare industry, in order to secure untraceable cryptocurrency that is funding its nuclear weapons program."
Post a Comment
Your suggestions and comments are welcome