As anyone who works in cybersecurity will already know, North Korea has made a big investment in its cyberattack capability, with ransomware a feared specialty.
For that reason, a warning last week from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) regarding Maui ransomware attacks on the U.S. healthcare sector will have filled professionals with a sense of weariness.
According to the agencies, Maui has been attacking healthcare since May 2021, most likely because it sees them as being sensitive to data theft and service disruption—and therefore more likely to pay ransoms.
As with other North Korean attacks, Maui has some unusual characteristics that might throw victims off balance, notes a separate recent report by security company Stairwell.
For example, unlike the vast bulk of commercial ransomware, it doesn’t embed a ransom note. Instead, Stairwell says, it favors a manual approach, which probably means the attackers communicate directly with victims as a way of exerting extra pressure.
However, despite attacking organizations for more than a year, some aspects of how Maui operates remain a mystery. As the CISA warning states:
“The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files.”
This is an advantage of deploying ransomware in the old school manner, without the benefit of a ransomware-as-a-service (RaaS) platform. Each attack is slightly different, which makes it harder for defenders to detect future attacks using a list of tools, techniques, and procedures (TTPs).
The central theme of the FBI and CISA warning is that organizations are falling victim to Maui, and either not notifying the authorities or notifying them but without sufficient detail.
This is a problem because the official U.S. Department of Justice strategy for countering cyberattacks such as ransomware is to measure success and improvement over time against a series of key performance indicators (KPIs). These include the percentage of attacks investigated within 72 hours, an ambitious target that depends on quick reporting. If popular targets such as healthcare organizations fail to report attacks, this strategy will become that bit harder to fulfil.
Importantly, the advisory also states::
“The FBI, CISA, and Treasury highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.”
The important phrase here is “may pose sanctions risks.” Organizations will already be wary about breaching sanctions rules, but it’s an additional consideration for anyone compromised by Maui. The good news is that reporting an attack to the FBI will count as a mitigating factor when assessing whether rules were broken.
“The updated advisory states that when affected parties take these proactive steps, Treasury’s Office of Foreign Assets Control (OFAC) would be more likely to resolve apparent sanctions violations involving ransomware attacks with a non-public enforcement response.”
(The updated advisory on sanctions referred to in this statement was issued in September 2021. The full text can be read here.)
As far as the U.S. healthcare sector is concerned, the warning about hypothetical sanctions violations is a mixture of carrot with a much bigger stick. Reporting attacks should now be understood as a priority rather than an option.
On the other hand, if a piece of North Korean ransomware brings about better reporting in this sector, at least the defenders will have evolved to understand the need to pool intelligence on attacks. North Korean nation state ransomware isn’t going away, but pretending attacks are a private issue is now officially an obsolete philosophy.