North Korean hackers are attacking US healthcare organizations with ransomware: FBI says cyberthieves assume groups will pay to regain access to their servers
- The attack on healthcare organizations was first observed in May 2021
- North Korean-based hackers are leaving a ransom note telling organizations to pay them to regain access to servers
- Officials are discouraging paying ransoms because it does not guarantee files and records will be recovered
The US government warned North Korea-based hackers are attacking healthcare organizations with ransomware.
The Federal Bureau of Investigation (FBI) said Wednesday it first observed Maui ransomware on servers, which contain medical records, imaging and intranet services, in May 2021.
The advisory note, which is also from the Cybersecurity and Infrastructure Security Agency (CISA) and US Treasury Department, states that the ransomware has caused outages and disruptions of healthcare services for ‘prolonged periods.’
It is unclear how the hackers are infecting the servers, but the cyberthieves ‘likely assume healthcare organizations are willing to pay ransoms because these organization provide serves that are critical to human life and health.’
The FBI, CISA and Treasury highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.
The Federal Bureau of Investigation (FBI) said Wednesday it has observed Maui ransomware on servers, which contain medical records, imaging and intranet services
North Korea is known for ransoming data to steal cryptocurrency – hackers in the country stole almost $400 million worth in 2021 and a separate group took more than $600 million this past April.
FBI Cyber Division Assistant Director Bryan Vorndran said in a statement: ‘The FBI, along with our federal partners, remains vigilant in the fight against North Korea’s malicious cyber threats to our healthcare sector.
‘We are committed to sharing information and mitigation tactics with our private sector partners to assist them in shoring up their defenses and protecting their systems.’
Rahul Prabhakar, Treasury Deputy Assistant Secretary for Cybersecurity and Critical Infrastructure Protection, said in a statement: ‘Ransomware victimizes people and businesses, large and small, across America. Treasury has worked closely with CISA and FBI to counter ransomware and protect financial sector critical infrastructure.
The FBI, CISA, and Treasury highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks
‘This joint advisory on Maui ransomware provides guidance that organizations of all sizes across the country can use to help defend themselves.
‘We will continue to work closely with our partners to push out actionable information on ransomware and other malicious activity as quickly as possible to help individuals and businesses guard against ever-evolving cyber threats.’
North Korean hackers may have also be involved with an attack on June 23 that stole as much as $100 million in cryptocurrency from Horizon Bridge, a service operated by the Harmony blockchain that allows assets to be transferred to other blockchains.
Although it has not been confirmed, the FBI says the style of attack and high velocity of structured payments to a mixer – used to obscure the origin of funds – is similar to previous attacks that were attributed to North Korea-linked actors, Chainalysis, a blockchain firm working with Harmony to investigate the attack.
There are strong indications that North Korea´s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds, another firm, Elliptic, said on June 29 in a report,
‘The thief is attempting to break the transaction trail back to the original theft,’ the report said. ‘This makes it easier to cash out the funds at an exchange.’
If confirmed, the attack would be the eighth exploit this year – totaling $1 billion in stolen funds – that could be attributed to North Korea with confidence, accounting for 60% of total funds stolen in 2022, Chainalysis said.
North Korea’s ability to cash in on its stolen assets may have been complicated by the recent drop in cryptocurrency values, experts and South Korean officials told Reuters, possibly threatening a key source of funding for the sanctions-strapped country.