North Korea Behind Manually Executed Ransomware Attacks, Federal Agencies Say

State-sponsored actors from North Korea are behind a lesser-known strain of ransomware referred to as “Maui,” according to a cybersecurity advisory from the FBI, in conjunction with the Cybersecurity and Infrastructure Security Agency and the Department of Treasury.

"The FBI, along with our federal partners, remains vigilant in the fight against North Korea's malicious cyber threats to our healthcare sector," FBI Cyber Division Assistant Director Bryan Vorndran said Wednesday in a press release on the advisory. "We are committed to sharing information and mitigation tactics with our private sector partners to assist them in shoring up their defenses and protecting their systems."

Officials did not detail their reason for linking the malware to North Korea apart from noting the profit motive and the urgency associated with attacking organizations in the healthcare sector.

“The FBI assesses North Korean state-sponsored cyber actors have deployed Maui ransomware against healthcare and public health sector organizations,” the advisory reads. “The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health. Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting HPH Sector organizations.”

The advisory is based on the FBI’s observations and incident response activities going back to May, 2021, as well as a report the threat intel firm Stairwell also released Wednesday on Maui operations.

Stairwell noted that, while groups such as Conti, Lockbit and BlackCat are associated with the ransomware-as-a-service business model that enables even novice criminals to hold organizations’ data hostage, the Maui ransomware relies on manual execution and isn’t accompanied by the usual ransom note.

“Maui stood out to us because of a lack of several key features we commonly see with tooling from RaaS providers, such as an embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers,” Stairwell wrote. “Instead, we believe that Maui is manually operated … operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artifacts.”

The cybersecurity advisory discouraged the payment of ransoms but encouraged organizations to report incidents to CISA or the FBI either way to inform their dissemination of defensive measures. The agencies noted an update Treasury made in September to an advisory, warning organizations they run the risk of sanctions violations by paying up, as attacks may be linked to relevant regimes. 

“The updated advisory encourages U.S. entities to adopt and improve cybersecurity practices and report ransomware attacks to, and fully cooperate with, law enforcement,” the agencies wrote. “The updated advisory states that when affected parties take these proactive steps, Treasury’s Office of Foreign Assets Control would be more likely to resolve apparent sanctions violations involving ransomware attacks with a non-public enforcement response.”