FBI releases advisory warning of the use of the Maui ransomware by North Korean state-sponsored threat actors to target the Healthcare and Public Health Sector

On Wednesday 6th of July 2022, the United States Federal Bureau of Investigation (FBI) released a joint TLP:WHITE joint advisory which revealed the Maui ransomware has been used by North Korean state-sponsored threat actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organisations. The goals of these ransomware attacks are to encrypt servers that are responsible for the healthcare service operations. Some of the targeted services include electronic health records services, diagnostics services, imaging services, and intranet services. The targeting and encryption of these servers have caused disruptions to these services for prolonged periods.

This joint advisory was released in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury to provide key cyber threat information to help security professionals and organisations to detect and counter ransomware attack attempts involving the Maui ransomware. The advisory also revealed that the ransomware appears to be designed for manual execution by a remote actor although the initial access vector for these incidents is still unknown.

In the advisory, the FBI asked for any information related to the incidents involving the Maui ransomware to be shared with them. This information can include “boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files.”