North Korean hackers are cybersecurity threat to U.S. health care organizations, feds say

“Maui” ransomware is not about booking a Hawaiian getaway.

The U.S. health care and public health sectors remain choice targets for state-sponsored cyber attackers from North Korea, according to federal investigators.

The FBI, the Cybersecurity and Infrastructure Agency (CISA) and the U.S. Department of Treasury published a joint cybersecurity advisory (CSA) to warn health care providers about Maui ransomware, software used in multiple incidents since May 2021. The advisory came out of a strong partnership among the agencies, CISA Executive Director for Cybersecurity Eric Goldstein said in a news release.

“As the nation’s cyber defense agency, our team works tirelessly in collaboration with partners to publish timely information that can help organizations prevent and build resilience against all cyber threats,” Goldstein said. “This malicious activity by North Korean state-sponsored cyber actors against the healthcare and public health sector poses a significant risk to organizations of all sizes.”

The Maui ransomware encrypts servers responsible for services such as electronic health records, diagnostics, imaging and internal networks, sometimes causing disruptions for long periods, according to the CSA. The “initial access vector(s)” for the attacks is unknown, but the federal regulators expect more attacks.

“The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” the CSA said. “Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting (health care and public health sector) organizations.”

The federal agencies discourage health systems from paying ransoms because it does not guarantee files and records will be recovered. However, health care providers should improve cybersecurity practices, report ransomware attacks to law enforcement, and cooperate with investigations.

Preventing security breaches

The CSA included technical details about Maui encryption and recommendations to bolster cybersecurity for health care organizations:

  • Maintain offline, physically disconnected backups of data, and regularly test backup and restoration. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware incident and protect against data losses.
  • Ensure all backup data is encrypted, immutable, and covers the entire organization’s data infrastructure.
  • Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident. Organizations should also ensure their incident response and communications plans include response and notification procedures for data breach incidents. Ensure the notification procedures adhere to applicable state laws.
  • Install updates for operating systems, software, and firmware as soon as they are released. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Regularly check for software updates and end-of-life notifications and prioritize patching known exploited vulnerabilities. Consider leveraging a centralized patch management system to automate and expedite the process.
  • If you use remote desktop protocol (RDP), or other potentially risky services, secure and monitor them closely. Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources, and require multifactor authentication (MFA) to mitigate credential theft and reuse. If RDP must be available externally, use a virtual private network (VPN), virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports.
  • Implement user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
  • Require MFA for as many services as possible — particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
  • Use strong passwords and avoid reusing passwords for multiple accounts.
  • Require administrator credentials to install software.
  • Audit user accounts with administrative or elevated privileges and configure access controls with least privilege in mind.
  • Install and regularly update antivirus and antimalware software on all hosts.
  • Only use secure networks and avoid using public wifi networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.

CISA offers free resources online to improve cybersecurity for health care organizations.