North Korean state-sponsored hackers are using Maui ransomware to target the healthcare companies and public health institutions, the FBI and other US law enforcement agencies have warned. Because of their success so far, the joint advisory states that the attacks are expected to ramp up in the coming days. 

INCONTROLLER malware
The FBI, CISA and NSA believe healthcare organisations are under threat. (Photo by domoyega at Getty Images)

The North Korean state-sponsored hackers are using the Maui ransomware to encrypt servers used by healthcare services. They are targeting information including electronic health records, diagnostic services and imaging services.

The advisory from the FBI, US cybersecurity agency CISA and the National Security Agency does not specify which organisations have been hit by the ransomware, but says that attacks have been ongoing since May 2021, and some of the criminals have been in the infected systems for months at a time.

What is Maui ransomware?

Maui is a relatively unknown ransomware strain which has emerged in the last year. It differs from many common ransomware families, according to a report from security company Stairwell Research, in that it lacks several key features usually found in malware, such as the means to embed a ransom note to provide recovery instructions, or an automated way of transmitting encryption keys to attackers.

Instead, Stairwell’s researchers believe that Maui is manually executed. “Operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artefacts,” the report says. Though many aspects of the group are unknown, some of its techniques, such as its manner of encryption, are similar to cyber gangs Conti and SheOne, the report says.

How to stop Maui ransomware

The joint advisory says the preferred attack vector for the criminals is unknown, and advises organisations to bolster security and standardise user privileges to systems in a bid to keep the ransomware out of their systems.

David Mahdi, chief strategy officer and CISO advisor at cyber company Sectigo, says having a handle on which users have which privileges is vital to combating Maui and similar malware. “A zero-trust, identity-first approach is critical,” Mahdi says. “To prevent ransomware, you can’t just lock down data, you need a clear method of verifying all identities within an organisation, whether human or machine, and what parts of it they are allowed to access.

“Focusing on identity and access privileges drastically mitigates the damage that ransomware attacks can have on the healthcare industry in the long run.”

Read more: North Korean APT Lazarus targets IT vendor in supply chain attack