The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of the Treasury (Treasury) today released a joint Cybersecurity Advisory (CSA) that provides information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.
The CSA titled, “North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector,” provides technical details and indicators of compromise (IOC) observed during multiple FBI incident response activities over a period of more than a year and obtained from industry analysis of Maui samples. North Korean state-sponsored actors were observed using Maui ransomware to encrypt HPH servers responsible for providing healthcare services. In some cases, the malicious activity disrupted the services provided by the victim for prolonged periods.
“As the nation’s cyber defense agency, our team works tirelessly in collaboration with partners to publish timely information that can help organizations prevent and build resilience against all cyber threats,” said CISA’s Executive Assistant Director for Cybersecurity, Eric Goldstein. “Today’s advisory comes out of our strong partnership with the FBI and Treasury. This malicious activity by North Korean state-sponsored cyber actors against the healthcare and public health sector poses a significant risk to organizations of all sizes.”
“The FBI, along with our federal partners, remains vigilant in the fight against North Korea’s malicious cyber threats to our healthcare sector,” said FBI Cyber Division Assistant Director Bryan Vorndran. “We are committed to sharing information and mitigation tactics with our private sector partners to assist them in shoring up their defenses and protecting their systems.”
“Ransomware victimizes people and businesses, large and small, across America. Treasury has worked closely with CISA and FBI to counter ransomware and protect financial sector critical infrastructure,” said Rahul Prabhakar, Treasury Deputy Assistant Secretary for Cybersecurity and Critical Infrastructure Protection. “This joint advisory on Maui ransomware provides guidance that organizations of all sizes across the country can use to help defend themselves. We will continue to work closely with our partners to push out actionable information on ransomware and other malicious activity as quickly as possible to help individuals and businesses guard against ever-evolving cyber threats.”
The HPH Sector, as well as other critical infrastructure organizations, are urged to review this joint CSA and apply the recommended mitigations to reduce the likelihood of compromise from ransomware operations. The FBI, CISA, and Treasury assess that North Korean state-sponsored actors are likely to continue targeting HPH Sector organizations, because of the assumption that these organizations are willing to pay ransoms to avoid disruption of the critical life and health services they provide. For more information on state-sponsored North Korean malicious cyber activity, see CISA’s North Korea Cyber Threat Overview and Advisories webpage.
The FBI, CISA, and Treasury strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks. In September 2021, Treasury issued an advisory highlighting the sanctions risk associated with ransomware payments and providing steps that can be taken by companies to mitigate the risk of being a victim of ransomware.
All organizations should share information on cybersecurity incidents and anomalous activity to CISA 24/7 Operations Center at firstname.lastname@example.org or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.