CISA Alert AA22-187A – North Korean state-sponsored cyber actors use Maui ransomware to target the healthcare and public health sector.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack One Eight Seven Alpha.

​​Original release date: July Sixth, twenty twenty two.

The FBI, CISA, and the Department of the Treasury are releasing this joint Cybersecurity Advisory to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health Sector organizations.

Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at Healthcare and Public Health Sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services. The initial access vectors for these incidents is unknown.

According to industry analysis of a sample of Maui malware, the ransomware appears to be designed for manual execution by a remote actor. The remote actor uses the command-line interface to interact with the malware and to identify target files.

The alert documentation linked in the show notes includes tactics, techniques, and procedures and indicators of compromise for this malicious activity. The FBI, CISA, and Treasury urge Healthcare and Public Health Sector organizations as well as other critical infrastructure organizations to apply the recommendations in the Mitigations section of this alert to reduce the likelihood of compromise from ransomware operations.

The FBI, CISA, and Treasury highly discourage paying these ransoms. Doing so does not guarantee files will be recovered and may pose sanctions violations and risks. In September 2021, Treasury issued an updated advisory highlighting the sanctions risks associated with ransomware payments and the proactive steps companies can take to mitigate such risks. This report is linked in the show notes.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.