This article provides an overview of the joint Cybersecurity Advisory (CSA) issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) on the Maui ransomware, which has been used by North Korean state-sponsored cyber actors to attack Healthcare and Public Health (HPH) Sector organizations.
Since May 2021, the FBI has noticed and reacted to various Maui ransomware attacks against HPH (Healthcare and Public Health) sector organizations. In these attacks, North Korean state-sponsored cyber attackers employed Maui ransomware to encrypt systems responsible for healthcare services such as electronic health records, diagnostics, imaging, and intranet services. Not only this, but these attacks also caused long-term disruptions in the service rendered by the targeted HPH Sector organizations.
Let’s examine it in more detail.
How is Maui Being Used?
It is believed that the North Korean state-sponsored cyber attackers target healthcare institutions because they believe that they are prepared to pay the ransom, as they provide services that are essential to human life and health. The hackers mostly use Remote Desktop Protocol (RDP) vulnerabilities to gain access to victims’ networks, encrypt the victims’ files, and leave a ransom note with communication instructions in every folder holding an encrypted file. This is often accompanied by a message that asks the victims to send ransom money to a specified Bitcoin wallet address. Let us see what Maui ransomware actually is and what measures have been issued by the joint cybersecurity advisory.
What is Maui Ransomware?
Maui ransomware (maui.exe) is a binary encryption virus. According to an industry examination of a Maui sample presented in the Stairwell Threat Report: Maui Ransomware—the ransomware appears to be built for manual execution by a remote actor that interacts with the virus and identifies files to encrypt via a command-line interface.
How Does Maui Function?
Maui encrypts target files using a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption.
- Maui utilizes AES 128-bit encryption to encrypt target files where each encrypted file has its own AES key, and each file has a custom header detecting the file’s original path that helps Maui to recognize previously encrypted files.
- Maui also encrypts each AES key using RSA encryption since it loads the RSA public and private keys in the same directory.
- According to the advisory, Maui also uses XOR encryption to encrypt the RSA public key (maui. key). The XOR key is produced using information from the hard disc.
- Maui generates a temporary file for each file it encrypts. It produces maui.log after encrypting files, which is said to include outputs from Maui execution.
Mitigation Measures for Maui Ransomware
The FBI, CISA, and Treasury have issued mitigation measures for the Healthcare and Public Health (HPH) Sector and other critical infrastructure organizations to prepare for, mitigate/prevent, and respond to ransomware incidents.
- Limited data access: HPH sector organizations need to limit data access by deploying public key infrastructure and digital certificates to verify connections with the network, Internet of Things (IoT) medical devices, and the electronic health record system. They should also be sure that data packages are not manipulated while in transit due to man-in-the-middle attacks.
- Use standard user accounts: On internal systems, HPH sector organizations must utilize standard user accounts rather than administrative accounts.
- Turn off network device management interfaces: Disable Telnet, SSH, Winbox, and HTTP for wide area networks (WANs) and secure them with strong passwords and encryption.
- Secure systems: Secure the collection, storage, and processing practices for PII (Personally Identifiable Information) and PHI, per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures can prevent the introduction of malware to the system.
- Use multi-level authentication: Implement multilayer network segmentation so that the most sensitive communications and data are confined to the most reliable and secure layer.
- Review Internal Policies Regularly: Ensure that internal policies governing the collection, storage, access, and monitoring of PII/PHI are created and reviewed on a regular basis.
Furthermore, the FBI, CISA, and the Treasury have recommended that all businesses, including those in the HPH Sector, follow the advice below when dealing with ransomware situations.
How to Prepare for Ransomware Attacks?
Maintaining offline data records and testing backup and restoration regularly go a long way in recovering from ransomware attacks. This ensures that operations continue uninterrupted during a ransomware attack and safeguards against data loss.
One must also ensure that all backup data is secured. Protected data should include the complete data architecture of the organization. Every organization should make, keep, and practice a basic cyber event response plan. Besides, organizations should also ensure that their incident response and communications strategies contain methods for responding to and notifying victims of data breaches.
How to Prevent Ransomware Attacks?
CSA includes certain measures that can be adopted to prevent ransomware at first instance.
- Implement a user training program, including phishing exercises, to educate users about the dangers of visiting suspicious websites, clicking on suspicious links, and downloading suspicious attachments.
- Install operating system, software, and firmware upgrades as soon as they are available.
- Use strong passwords and avoid using the same password across different accounts. Consider including an email banner in communications sent from outside your organization.
- Turn off hyperlinks in received emails.
- Installing software necessitates administrator privileges.
- Install and keep antivirus and antimalware software up to date on all hosts.
- Use only secure networks and avoid public Wi-Fi networks.
How to Handle Ransomware Incidents
If a ransomware attack hits your organization, you can take the following steps:
- Look for backups of your data. If feasible, scan backup data using an antivirus program to ensure that it is malware-free. To prevent exposing backups to potential compromise, execute this step on an isolated, trustworthy server.
- Observe and follow the notification standards established in your cyber incident response strategy.
- You can contact the FBI at a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the US Secret Service (USSS) at a USSS Field Office to report any incidents.
Roadway Ahead-Request for Information
North Korean state-sponsored cyber actors are likely to believe that healthcare institutions are prepared to pay ransoms since these organizations provide services that are important to human life and health. As previously indicated, the FBI discourages paying ransoms. Payment does not ensure file recovery and may empower attackers to attack more organizations, encourage other criminal actors to engage in ransomware dissemination, and support unlawful operations.
Regardless of whether you or your organization choose to pay the ransom, the FBI, CISA, and Treasury urge you to swiftly report ransomware instances to the FBI at a local FBI Field Office. This would provide important information to the US government in order to avoid future attacks by identifying and tracing ransomware actors and making them responsible under US law.
With growing attacks, it is reasonable to conclude that every organization should implement methods, techniques, and processes published under the joint Cybersecurity Advisory (CSA) to prevent Maui ransomware from impacting them. The measures listed above serve as a road map for ransomware prevention, identification, and remediation.