Healthcare systems could face new DPRK ransomware tactics

Government agencies from the United States and the Republic of Korea are highlighting new ransomware tactics they’ve seen, which they say are used to conceal the affiliation of Democratic People’s Republic of Korea hackers working to stage attacks against U.S. and South Korean healthcare organizations and critical infrastructure.


The new cybersecurity advisory, Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities, details both North Korea’s historically and recently observed tactics, techniques and procedures and indicators of compromise.

The additional observed TTPs “span phases from acquiring and purchasing infrastructure to concealing DPRK affiliation, according to the United States National Security Agency, Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency and Department of Health and Human Services along with the Republic of Korea National Intelligence Service and ROK’s Defense Security Agency that issued yesterday’s warning.

“In some cases, DPRK actors have portrayed themselves as other ransomware groups, such as the REvil ransomware group,” according to the agencies.

Agencies from both nations say that an unspecified amount of revenue from cryptocurrency ransoms supports DPRK’s government cyber operations targeting the United States and South Korean governments, including defense information networks.

Of note, North Korean cyber actors may threaten to expose a private healthcare company’s proprietary data to competitors if ransoms are not paid.

The CSA provides the following key technical details and shares mitigation strategies:


In July, CISA, FBI and the Treasury Department released a CSA warning that Maui malware was being used to target hospitals and public health agencies.

“Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations,” officials said then. 

“North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services – including electronic health records services, diagnostics services, imaging services and intranet services.”

Whether it is state-sponsored or independent cybercriminals willing to hop from one ransomware gang to another, hospital financial ratings are vulnerable, according to a recent assessment from Fitch Ratings.

Deployment of sophisticated cyber weapons that compromise healthcare delivery can affect a hospital’s financial profile and “could negatively affect ratings,” Fitch analysts said.


“This CSA is supplementary to previous reports on malicious cyber actor activities

involving DPRK ransomware campaigns—namely Maui and H0lyGh0st ransomware,” the agencies said in the warning.

Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]

Healthcare IT News is a HIMSS Media publication.

Source: Read Full Article