A recent Cybersecurity Advisory (CSA) TLP:WHITE alert notifies that Maui ransomware has been used by North Korean state-sponsored cybercriminals to target the Healthcare and Public Health (HPH) sectors.
Healthcare services and HPH Sector organizations are likely to continue being targeted by attackers.
“Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services,” per the joint Cybersecurity Advisory alert released by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) on July 06 2022. The services offered by the firms in the targeted HPH Sector were occasionally affected by these occurrences for extended periods of time.
The FBI, CISA, and Treasury predict that North Korean state-sponsored actors will continue to target firms in the HPH Sector. Because these businesses offer services that are essential to human life and health, North Korean cyber hackers probably believe that healthcare institutions will be prepared to pay ransoms.
What is Maui Ransomware?
The CSA informs that “Maui ransomware (maui.exe) is an encryption binary. According to industry analysis of a sample of Maui (SHA256: 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e) provided in Stairwell Threat Report: Maui Ransomware—the ransomware appears to be designed for manual execution [TA0002] by a remote actor. The remote actor uses command-line interface [T1059.008] to interact with the malware and to identify files to encrypt.”
Moreover, “Maui uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt [T1486] target files:
- Maui encrypts target files with AES 128-bit encryption. Each encrypted file has a unique AES key, and each file contains a custom header with the file’s original path, allowing Maui to identify previously encrypted files. The header also contains encrypted copies of the AES key.
- Maui encrypts each AES key with RSA encryption.
- Maui loads the RSA public (maui.key) and private (maui.evd) keys in the same directory as itself.
- Maui encodes the RSA public key (maui.key) using XOR encryption. The XOR key is generated from hard drive information (\\.\PhysicalDrive0).
During encryption, Maui creates a temporary file for each file it encrypts using GetTempFileNameW(). Maui uses the temporary to stage output from encryption. After encrypting files, Maui creates maui.log, which contains output from Maui execution. Actors likely exfiltrate [TA0010] maui.log and decrypt the file using associated decryption tools.”
Mitigation Recommendations.
The CSA shares actions that entities can take: “The FBI, CISA, and Treasury urge HPH Sector organizations to:
- Limit access to data by deploying public key infrastructure and digital certificates to authenticate connections with the network, Internet of Things (IoT) medical devices, and the electronic health record system, as well as to ensure data packages are not manipulated while in transit from man-in-the-middle attacks.
- Use standard user accounts on internal systems instead of administrative accounts, which allow for overarching administrative system privileges and do not ensure least privilege.
- Turn off network device management interfaces such as Telnet, SSH, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled.
- Secure personal identifiable information (PII)/patient health information (PHI) at collection points and encrypt the data at rest and in transit by using technologies such as Transport Layer Security (TPS). Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available if data is ever compromised.
- Protect stored data by masking the permanent account number (PAN) when it is displayed and rendering it unreadable when it is stored—through cryptography, for example.
- Secure the collection, storage, and processing practices for PII and PHI, per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures can prevent the introduction of malware on the system.
- Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer.
- Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise.
- Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.”
To prepare for ransomware, the CSA suggests:
- Maintaining offline backups of data and regularly testing backups and restoration processes.
- Ensuring all backup data is encrypted and immutable.
- Creating, maintaining, and exercising a cyber incident response plan and associated communications plan that includes response and notification procedures for incidents related to ransomware.
The CSA also recommends limiting access to resources via internal networks, updating operating systems, software, and firmware, and monitoring remote desk protocol as mitigation and response strategies for ransomware.
Organizations can also refer to a Ransomware Response Checklist in the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide which can help them mitigate a ransomware attack, the CISA’s Ransomware Readiness Assessment to better assess how well they are equipped to defend and recover from a ransomware incident, as well as, visit StopRansomware.gov to get additional information and resources on protecting against and responding to ransomware.