Screenshot (from: CISAwebsite)
It is reported that the server data of the victim health care institution will be encrypted and spread to electronic health records, medical imaging and the entire intranet.
The advisory report states:
An FBI assessment found that cyber attackers with North Korean backgrounds deployed Maui ransomware against healthcare and public health departments.
It is speculated that the hackers believe that healthcare organizations are willing to pay the ransom, after all these organizations provide services vital to human life and health. Based on this assumption, the FBI, CIA, and Treasury Department assess that hackers with North Korean backgrounds may continue to launch attacks against relevant healthcare organizations.
The announcement also noted that among the many incidents the FBI observed and intervened, a ransomware attack on Maui caused long-term disruptions to local health care services.
In early April 2022, threat-hunting startup Stairwell first came to light and worked to help organizations determine if it had been compromised.
During the analysis, Stairwell Principal Reverse Engineer Silas Cutler noted that many of the tooling capabilities commonly found in ransomware-as-a-service (RaaS) providers are lacking here.
This anomaly ultimately led them to deduce that Maui was likely deployed manually on the victim’s network and then encrypted by the remote operator for the specific files he wanted.
We have heard similar reports many times before. John Hultquist, vice president of Mandiant Intelligence, also said in an email that the situation is familiar to them.
Ransomware attacks targeting the healthcare industry have also presented an interesting development since the COVID-19 pandemic.
Malicious actors may initially use cyber espionage as a breach, but recently it has been noted that attackers have shifted their focus to other traditional diplomatic and military organizations.
However, healthcare organizations are still very vulnerable to this type of extortion in terms of the consequences of business disruption.
Finally, this CISA joint announcement mentions relevant indicators of attack (IOC), technical policies and procedures (TTP) and other information to help relevant organizations effectively implement network security protection policies.
For example, restricting access to data, closing network device management interfaces, and observing whether IoT devices have been intruded through monitoring tools.