Another ransomware warning for healthcare providers: North Korean attacks

Healthcare and public health organizations have been alerted to another ransomware threat––this time from the Democratic People’s Republic of Korea (DPRK).

The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) issued a joint cybersecurity advisory (CSA) highlighting the ransomware activity targeting healthcare and public health organizations. Namely, DPRK cyber actors are targeting South Korean and U.S. healthcare systems.

The CSA builds on previous reports on malicious cyber actor activities involving DPRK ransomware campaigns—namely Maui and H0lyGh0st ransomware. It also details historically and recently observed tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.

According to the CSA, the latest ransomware attacks from DPRK involve attacks traditionally observed in ransomware operations, though the TTPs also include acquiring and purchasing infrastructure to conceal DPRK affiliation. The cyber actors are generating domains, personas and accounts, and identifying cryptocurrency services to conduct ransomware activities. They are using cryptocurrency to purchase domains and conceal their identity. 

“DPRK actors purposely obfuscate their involvement by operating with or under third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments,” the CSA warned.

The cyber actors are using various common vulnerabilities and exposures to gain access to and privileges in networks, including recently using remote code execution.

 “Actors also likely spread malicious code through Trojanized files for ‘X-Popup,’ an open source messenger commonly used by employees of small and medium hospitals in South Korea,” the advisory stated.

Once they have access DPRK actors use malware to perform ransomware activities, download files and execute shell commands. They are also deploying known ransomware and tools for encryption. The DPRK actors have also portrayed themselves as other groups to conceal their identity, including the REvil ransomware group. They are known to demand ransom in cryptocurrency, such as bitcoin.

The CSA encouraged healthcare and public health organizations to backup all data and regularly test their backup and restoration processes. In addition, the CSA encouraged incident response plans and associated communications plans in the even of a cyber attack or ransomware attack.

Amy Baxter

Amy joined TriMed Media as a Senior Writer for HealthExec after covering home care for three years. When not writing about all things healthcare, she fulfills her lifelong dream of becoming a pirate by sailing in regattas and enjoying rum. Fun fact: she sailed 333 miles across Lake Michigan in the Chicago Yacht Club "Race to Mackinac."

Around the web

Compensation for heart specialists continues to climb. What does this say about cardiology as a whole? Could private equity's rising influence bring about change? We spoke to MedAxiom CEO Jerry Blackwell, MD, MBA, a veteran cardiologist himself, to learn more.

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”