View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 6, 2022updated 20 Jul 2022 1:50pm

North Korean hackers target healthcare sector with Maui ransomware, FBI warns

Healthcare providers are under threat from an unusual strain of malware identified by US security agencies.

By Claudia Glover

North Korean state-sponsored hackers are using Maui ransomware to target the healthcare companies and public health institutions, the FBI and other US law enforcement agencies have warned. Because of their success so far, the joint advisory states that the attacks are expected to ramp up in the coming days. 

The FBI, CISA and NSA believe healthcare organisations are under threat. (Photo by domoyega at Getty Images)

The North Korean state-sponsored hackers are using the Maui ransomware to encrypt servers used by healthcare services. They are targeting information including electronic health records, diagnostic services and imaging services.

The advisory from the FBI, US cybersecurity agency CISA and the National Security Agency does not specify which organisations have been hit by the ransomware, but says that attacks have been ongoing since May 2021, and some of the criminals have been in the infected systems for months at a time.

What is Maui ransomware?

Maui is a relatively unknown ransomware strain which has emerged in the last year. It differs from many common ransomware families, according to a report from security company Stairwell Research, in that it lacks several key features usually found in malware, such as the means to embed a ransom note to provide recovery instructions, or an automated way of transmitting encryption keys to attackers.

Instead, Stairwell’s researchers believe that Maui is manually executed. “Operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artefacts,” the report says. Though many aspects of the group are unknown, some of its techniques, such as its manner of encryption, are similar to cyber gangs Conti and SheOne, the report says.

How to stop Maui ransomware

The joint advisory says the preferred attack vector for the criminals is unknown, and advises organisations to bolster security and standardise user privileges to systems in a bid to keep the ransomware out of their systems.

David Mahdi, chief strategy officer and CISO advisor at cyber company Sectigo, says having a handle on which users have which privileges is vital to combating Maui and similar malware. “A zero-trust, identity-first approach is critical,” Mahdi says. “To prevent ransomware, you can’t just lock down data, you need a clear method of verifying all identities within an organisation, whether human or machine, and what parts of it they are allowed to access.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

“Focusing on identity and access privileges drastically mitigates the damage that ransomware attacks can have on the healthcare industry in the long run.”

Read more: North Korean APT Lazarus targets IT vendor in supply chain attack

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.