FBI, CISA, Treasury: North Korean hackers taking aim at health care with Maui ransomware

The ransomware has previously received little public scrutiny.
The Monument to Party Founding is a monument in Pyongyang, the capital of North Korea. (Getty Images)

Three federal agencies said Wednesday that North Korean hackers have been attacking the health care sector with ransomware, and cautioned victims that paying up could run afoul of U.S. sanctions rules.

The FBI, the Department of Homeland Security’s Cybersecurity an Infrastructure Security Agency and the Treasury Department said in an alert that the hackers were using a kind of ransomware dubbed “Maui” to go after health care and public health organizations.

“This malicious activity by North Korean state-sponsored cyber actors against the healthcare and public health sector poses a significant risk to organizations of all sizes,” said CISA’s executive director for cybersecurity, Eric Goldstein.

“They’re pretty ruthless, as we have seen in the past. And the fact that there’s an urgency by the health care sector to continue the uninterrupted provision of health care is a reason why they’re targeting health care.”

John Riggi, American hospital association

It’s not the first time the U.S. has accused Pyongyang of wreaking havoc on the health care sector. Most notably, the U.S. and U.K. blamed North Korea for the 2017 WannaCry outbreak, which led to canceled surgeries and postponed medical appointments in the U.K. after the bug worked its way into the National Health Service.

“They’re pretty ruthless, as we have seen in the past,” said John Riggi, national adviser for cybersecurity and risk at the American Hospital Association (AHA). “And the fact that there’s an urgency by the health care sector to continue the uninterrupted provision of health care is a reason why they’re targeting health care.”

The Wednesday alert came with a reminder of September guidance from the Treasury Department that paying ransomware operators potentially puts victims at risk of violating Office of Foreign Assets Control regulations, although cooperating with law enforcement and improving cybersecurity practices lessens that risk, according to the memo. Treasury has designated the North Korean government-backed hacking outfit known as the Lazarus Group and two sub-groups under its sanctions program.

The Maui ransomware variant received little public scrutiny prior to Wednesday. The same day of the feds’ alert, cybersecurity company Stairwell published an analysis of the ransomware, saying that it differed in major ways from traditional ransomware-as-a-service offerings, where ransomware creators allow others to use their product in exchange for a share of profits. Stairwell said it first observed Maui on April 3.

“Maui stood out to us because of a lack of several key features we commonly see with tooling from RaaS providers, such as an embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers,” wrote Silas Cutler, principal reverse engineer. “Instead, we believe that Maui is manually operated, in which operators will specify which files to encrypt when executing it.”


That setup makes sense, said Daniel dos Santos, head of security research for Forescout.

“This is to be expected from a malware developed or used by a state-sponsored actor, which has different behavior and potentially different objectives than a cybercriminal group,” he said. “Maybe the actors are not looking immediately to scale this attack to hundreds of organizations, but instead looking into targeting some organizations that are more important for their objectives.”

Riggi said his organization was “anecdotally” aware of some Maui victims. The Health Information Sharing and Analysis Center (H-ISAC) was unable to identify any victims, but it was clear that law enforcement had, said Errol Weiss, chief information security officer for the group. Both H-ISAC and AHA were alerting members Wednesday, or planning to do so.

“Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations,” the federal alert reads. “North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services. In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods. “

Cyber firm Mandiant said that of late, the health care sector hasn’t seemed to be the top priority target for North Korea.


“We have noted recently that North Korean actors have shifted focus away from healthcare targets to other traditional diplomatic and military organizations,” John Hultquist, vice president of Mandiant Intelligence, said in a written statement. “Unfortunately, healthcare organizations are also extraordinarily vulnerable to extortion of this type because of the serious consequences of a disruption.”

In May, the Department of Health and Human Services identified LockBit and Conti as the ransomware groups that most afflicted the health sector in the first quarter of 2022.

Updated 7/6/22: to include comment from Forescout.

Latest Podcasts