CyberWire Daily - CISA Alert AA23-040A – #StopRansomware: ransomware attacks on critical infrastructure fund DPRK malicious cyber activities. [CISA Cybersecurity Alerts]
Episode Date: February 10, 2023CISA, NSA, FBI, the US Department of Health and Human Services, the Republic of Korea National Intelligence Service, and the Republic of Korea Defense Security Agency are issuing this alert to highlig...ht ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities. AA23-040A Alert, Technical Details, and Mitigations CISA’s North Korea Cyber Threat Overview and Advisories webpage. Stairwell provided a YARA rule to identify Maui ransomware, and a Proof of Concept public RSA key extractor at the following link: https://www.stairwell.com/news/threat-research-report-maui-ransomware/ See Stopransomware.gov, a whole-of-government approach, for ransomware resources and alerts. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. Original release date, February 9, 2023.
CISA, NSA, FBI, the U.S. Department of Health and Human Services,
the Republic of Korea National Intelligence Service,
and the Republic of Korea Defense Security Agency are issuing this alert to highlight ongoing ransomware activity
against healthcare and public health sector organizations
and other critical infrastructure sector entities.
This advisory highlights TTPs and IOCs that DPRK cyber actors use to gain access to and conduct ransomware attacks against healthcare and public health sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors' use of cryptocurrency to demand ransoms.
as well as DPRK cyber actors' use of cryptocurrency to demand ransoms.
This alert is supplementary to previous reports on malicious cyber activities involving DPRK ransomware campaigns,
including Maui and Holy Ghost ransomware.
The authoring agencies are issuing this advisory to highlight new observed TTPs that DPRK cyber actors use to conduct ransomware attacks.
The authoring agencies assess that revenue from
these operations supports DPRK national-level priorities and objectives, including cyber
operations targeting the United States and South Korea governments. The alert documentation linked
in the show notes includes additional technical details, IOCs, malicious actor TTPs, recovery guidance, mitigations, and response recommendations.
The FBI is seeking any information that can be shared, to include boundary logs showing
communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor
file, and benign samples of encrypted files.
Regardless of whether you or your organization
decide to pay a ransom,
the authoring agencies urge you
to promptly report ransomware incidents
using the contact information in this alert.
To report incidents and anomalous activity
or to request incident response resources
or technical assistance,
contact CISA at report at cisa.gov,
call 282-0870, or report incidents to your local FBI field office.
This report was written by Sysa, the United States Cybersecurity and Infrastructure Security Agency,
and edited and adapted for audio by the Cyber Wire as a public service.
Please visit www.sysa.gov to read the full report, which may include additional details, links, and illustrations.
A link to this report can be found in the show notes.
This has been a CISA Cybersecurity Alert.