CISA Alert AA23-040A – #StopRansomware: ransomware attacks on critical infrastructure fund DPRK malicious cyber activities.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Three tack Zero Four Zero Alpha.

Original release date: February Ninth, 2023.

CISA, NSA, FBI, the US Department of Health and Human Services, the Republic of Korea National Intelligence Service, and the Republic of Korea Defense Security Agency are issuing this alert to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities.

This advisory highlights TTPs and IOCs that DPRK cyber actors use to gain access to and conduct ransomware attacks against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms. This alert is supplementary to previous reports on malicious cyber actor activities involving DPRK ransomware campaigns—including Maui and H0lyGh0st ransomware. The authoring agencies are issuing this advisory to highlight new observed TTPs that DPRK cyber actors use to conduct ransomware attacks.

The authoring agencies assess that revenue from these operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments.

The alert documentation linked in the show notes includes additional technical details, IOCs, malicious actor TTPs, recovery guidance, mitigations, and response recommendations.

The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and benign samples of encrypted files. Regardless of whether you or your organization decide to pay a ransom, the authoring agencies urge you to promptly report ransomware incidents using the contact information in this alert.

To report incidents and anomalous activity or to request incident response resources or technical assistance, contact CISA at report@cisa.gov, call (888) 282-0870, or report incidents to your local FBI field office.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.