Since May of 2021, state-sponsored attackers have been deploying Maui ransomware in an attempt to encrypt sensitive records and disrupt services for vulnerable healthcare organizations.
The U.S. government is warning healthcare companies to watch for and protect themselves against ongoing ransomware attacks from cybercriminals sponsored by North Korea. In a joint advisory posted Wednesday, the FBI, Cybersecurity and Infrastructure Security Agency, and Department of the Treasury cautioned that these state-sponsored attackers have been using Maui ransomware to target hospitals, laboratories and other public and private healthcare organizations.
The North Korean state-sponsored cybercriminals are deploying Maui to encrypt servers and data for critical healthcare services, such as electronic health records, diagnostics, imaging and intranet. With hospitals and healthcare providers sometimes lacking in proper security protection, these attacks can disrupt important medical services for long periods of time.
Why North Korea is targeting healthcare
Cyberattacks by hostile nation-states are typically carried out for political or military reasons, as they’re designed to impact critical infrastructure and defenses. Ransomware attacks, however, are profit driven. Why would state-sponsored attackers turn to ransomware as a tactic?
“Nation state-sponsored ransomware attacks have become typical international acts of aggression, particularly among North Korean, Chinese and Russian hacking groups,” said Peter Martini, co-founder of security provider iboss. “Unfortunately, North Korea specifically has shown it is very willing to indiscriminately target various industries, including healthcare, to secure untraceable cryptocurrency that is funding its nuclear weapons program.”
The healthcare sector is particularly vulnerable to ransomware. Such organizations don’t always devote sufficient time or resources to cybersecurity. Hospitals and similar businesses also hold sensitive medical and health data ripe for exploitation. And such facilities can’t afford to be out of commission for too long, increasing the likelihood that they’ll pay the ransom just to get their operations up and running again.
“They’re hitting these organizations because they are juicy victims, and they will not show mercy to the healthcare industry,” said Adam Flatley, director of threat intelligence for security firm Redacted. “Ransomware actors do not care who they hurt in the process of extorting healthcare organizations for money. They destroy lives, businesses, and in the case of hospitals, put human lives at risk with absolutely no pang of conscience. These groups are targeting healthcare organizations on purpose because they know the emotional impact of doing so will help them force the extortion payments.”
Though these North Korean-sponsored ransomware incidents against healthcare organizations have been going on for a year, they’ve jumped dramatically and have become more sophisticated since then, according to Martini. Such countries as North Korea and Russia also have much to gain by disrupting the ability of the U.S. to provide healthcare, especially during a pandemic.
How to defend against these attacks
To assist healthcare organizations who need to defend themselves against these types of ransomware attacks, the advisory offers several recommendations.
Limit access to sensitive data
Control access to critical data by using public key infrastructure and digital certificates. These tools can authenticate connections with the network, Internet of Things medical devices and the electronic health record system. They also prevent man-in-the-middle attacks from compromising the data while it’s in transit.
Decrease your use of admin accounts
To access your internal systems, use standard user accounts rather than administrative accounts. Admin accounts can be used to compromise an entire network or domain, making them tempting targets for attackers.
Disable vulnerable network protocols
Turn off network device management interfaces such as Telnet, SSH, Winbox and HTTP for wide area networks. Make sure network access is secured with strong passwords and encryption.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Protect patient information
Secure all personal identifiable information and protected health information at all collection points. Make sure you encrypt the data both at rest and in transit by using such protocols as Transport Layer Security. Store personal patient data only on internal systems guarded by firewalls and make sure complete backups are available if the information is ever compromised.
Secure stored data
Protect stored data by masking the permanent account number when it’s displayed. This ensures that the information is unreadable when being stored.
Follow HIPAA regulations
Make sure you properly secure, store and process PII and PHI per HIPAA regulations. Following these regulations can help protect your systems from malware.
Segment and monitor your network
Enforce multi-layer network segmentation and ensure that the most critical data is stored on the most secure and reliable layer. Use monitoring tools to determine if your IoT devices aren’t operating correctly, possibly due to a compromise.
Review your security policies
Regular review your internal policies that regulate the storage and access of PII and PHI.
Organizations should also move to the Zero Trust cybersecurity model being adopted by the U.S. and other countries, advises Martini. Specifically, focus on the Zero Trust Architecture defined by NIST in its 800-207 publication.
“The Zero Trust model makes it so that all critical applications and data are completely inaccessible by attackers and only accessible by employees, in essence making the resources completely private,” Martini said. “The goal of Zero Trust, according to the NIST 800-207, is to solve the crux of the issue, which is to prevent unauthorized access to data and services. These types of attacks are unsuccessful if North Korea cannot gain access to the resources to begin with.”