CyberWire Daily - CISA Alert AA22-187A – North Korean state-sponsored cyber actors use Maui ransomware to target the healthcare and public health sector. [CISA Cybersecurity Alerts]
Episode Date: July 6, 2022The FBI, CISA, and the Department of the Treasury are releasing this joint Cybersecurity Advisory to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber a...ctors since at least May 2021 to target Healthcare and Public Health Sector organizations. AA22-187A Alert, Technical Details, and Mitigations Stairwell Threat Report: Maui Ransomware North Korea Cyber Threat Overview and Advisories Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments National Conference of State Legislatures: Security Breach Notification Laws Health Breach Notification Rule Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches StopRansomware.gov CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered 6th, 2022.
The FBI, CISA, and the Department of the Treasury are releasing this joint cybersecurity advisory to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target healthcare and public health sector organizations. Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at healthcare
and public health sector organizations.
North Korean state-sponsored cyber actors used Maui ransomware in these incidents to
encrypt servers responsible for healthcare services, including electronic health records
services, diagnostics services, imaging services, and intranet services.
The initial access vectors for these incidents is unknown.
According to industry analysis of a sample of Maui malware,
the ransomware appears to be designed for manual execution by a remote actor.
The remote actor uses the command line interface to interact with the malware and to identify target files.
the command line interface to interact with the malware and to identify target files.
The alert documentation linked in the show notes includes tactics, techniques, and procedures and indicators of compromise for this malicious activity. The FBI, CISA, and Treasury urge
healthcare and public health sector organizations, as well as other critical infrastructure
organizations, to apply the recommendations in the mitigations section of this alert to reduce
the likelihood of compromise from ransomware operations.
The FBI, CISA, and Treasury highly discourage paying these ransoms.
Doing so does not guarantee files will be recovered
and may pose sanctions violations and risks.
In September 2021, Treasury issued an updated advisory
highlighting the sanctions risks associated with ransomware payments
and the proactive steps companies can take to mitigate such risks. This report is linked
in the show notes. All organizations should report incidents and anomalous activity to CISA's 24-7
Operations Center at central at cisa.dhs.gov or 888-282-0870 and to the FBI via your local FBI field office or the FBI's 24-7
CyWatch at 855-292-3937 or cywatch at fbi.gov. This report was written by CISA, the United States
Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the Cyber Wire
as a public service. Please visit www.cisa.gov to read the full report, which may include additional
details,
links, and illustrations. A link to this report can be found in the show notes.
This has been a CISA Cybersecurity Alert.