A joint cybersecurity advisory released by U.S. cybersecurity and intelligence agencies have warned about a North Korean government-backed ransomware named Maui that has been targeting the healthcare sector since May 2021.

“North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services – including electronic health records services, diagnostics services, imaging services and intranet services,” the authorities noted.

The alert comes courtesy of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of the Treasury.

According to cybersecurity firm Stairwell, whose finding formed the basis of the advisory, this ransomware family stands out because there is a lack of several key features commonly associated with ransomware-as-a-service (RaaS) groups.

One absent feature is the “embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers,” according to security researcher Silas Cutler.

Analysis of Maui says that the ransomware is designed for manual execution by a remote actor via a command-line interface. It targets specific files on the infected machine for encryption.

Besides encrypting target files with AES 128-bit encryption with a unique key, each key is in turn, encrypted with RSA using a key pair generated the first time Maui is executed. As a third layer of security, the RSA keys are encrypted using a hard-coded RSA public key that is unique to each campaign.

One thing that sets Maui apart from other ransomware offerings is that it’s not offered as a service to other affiliates for use in return for a share of the profits.

The incidents of Maui that have disrupted healthcare institutions are said to have extended for long periods of time, and the initial intrusion vector is not yet known.

Maui campaigns are predicated on the willingness of healthcare entities to pay ransoms to quickly recover from an attack and ensure uninterrupted access to critical services.

According to the State of Ransomware in Healthcare 2022 report by Sophos, 61% of healthcare organizations surveyed opted to settle compared to the global average of 46%. Only 2% paid the ransom in 2021 to get their complete data back.

With that said, the use of a manually operated ransomware family raises the possibility that the operation could be a diversion to act as a cover for other motives.

“Nation state-sponsored ransomware attacks have become typical international acts of aggression,” said Peter Martini, co-founder of iboss. “Unfortunately, North Korea specifically has shown it is very willing to indiscriminately target various industries, including healthcare, to secure untraceable cryptocurrency that is funding its nuclear weapons program.”

Story via The Hacker News