North Korean hackers attack US healthcare organizations with ransomware

North Korean hackers attack US healthcare organizations with ransomware: FBI says cyber thieves assume groups will pay to regain access to their servers

  • The attack on healthcare organizations was first observed in May 2021.
  • North Korean hackers leave a ransom note asking organizations to pay them to restore access to servers.
  • Officials do not recommend paying the ransom because it does not guarantee that files and records will be recovered.

The US government has warned that North Korean hackers are targeting healthcare organizations with ransomware.

Federal Bureau of InvestigationFBI) said on Wednesday that it first discovered Maui ransomware on servers that hold medical records, images and intranet services in May 2021.

advisory notewhich is also owned by the Cybersecurity and Infrastructure Security Agency (CISA) and the US Department of the Treasury, says the ransomware caused outages in medical services for “extended periods.”

It’s unclear how the hackers infect servers, but the cyber thieves “probably assume that healthcare organizations are willing to pay the ransom because these organizations provide services that are critical to people’s life and health.”

The FBI, CISA, and Treasury strongly advise against paying the ransom, as it does not guarantee the recovery of files and records and may lead to the risk of sanctions.

Scroll down for video

The Federal Bureau of Investigation (FBI) said Wednesday it found Maui ransomware on servers that host medical records, images and intranet services.

North Korea is known for ransoming data to steal cryptocurrencies — hackers in the country stole almost $400 million in 2021, and a separate group took more than $600 million in April of this year.

FBI Assistant Director of Cyber ​​Division Brian Vorndran said in a statement, “The FBI, along with our federal partners, remains vigilant in combating North Korea’s malicious cyber threats to our healthcare sector.

“We are committed to sharing information and mitigation practices with our private sector partners to help them strengthen their defenses and protect their systems.”

Rahul Prabhakar, Deputy Assistant Secretary of the Treasury for Cybersecurity and Critical Infrastructure Protection, said in a statement: “Ransomware is stalking people and businesses, large and small, across America. The Treasury has worked closely with the CISA and the FBI to counter ransomware and protect the financial sector’s critical infrastructure.

The FBI, CISA, and Treasury strongly advise against paying the ransom as it does not guarantee the recovery of files and records and may result in the risk of sanctions.

“This Maui Collaborative Ransomware Consultation provides guidance that organizations of all sizes across the country can use to protect themselves.

“We will continue to work closely with our partners to spread useful information about ransomware and other malicious activities as quickly as possible to help individuals and businesses protect themselves from the ever-evolving cyber threats.”

North Korean hackers may also have been involved in the June 23 attack, which resulted in the theft of up to $100 million in cryptocurrency from Horizon Bridge, a service operated by the Harmony blockchain that allows assets to be transferred to other blockchains.

Although it has not been confirmed, the FBI says the style of attack and the high speed of structured payments to a mixer used to hide the origin of funds are similar to previous attacks that were attributed to North Korean-linked entities by Chainalysis, a blockchain company working with Harmony to investigate the attack. .

There are strong indications that the North Korean Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds, another firm Elliptic said in a June 29 report.

“The thief is trying to trace the transaction back to the original theft,” the report says. “It makes it easier to cash out on the exchange.”

If confirmed, the attack would be the eighth exploit this year with a total of $1 billion in stolen funds, which can be safely attributed to North Korea, which accounts for 60% of the total stolen funds in 2022, according to Chainalysis.

North Korea’s ability to cash in on its stolen assets may have been hampered by the recent drop in the value of the cryptocurrency, experts and South Korean officials told Reuters, possibly threatening a key source of funding for the sanctioned country.