The Cybersecurity and Infrastructure Security Agency, FBI and the Department of the Treasury have released a joint advisory on Maui ransomware and other indicators of compromise that North Korea-backed threat actors have been using since May 2021 to compromise health care and public health sector organizations.
Cyberthreat actors use Maui ransomware to encrypt servers used to support electronic health records, imaging, diagnostics and intranet services, according to the joint advisory published Wednesday.
Maui encrypts target files using a combination of XOR encryption, RSA and Advanced Encryption Standard.
The advisory outlines mitigation measures health care organizations should take, such as limiting access to data by fielding public key infrastructure and digital certificates to authenticate connections with the network, EHR system and medical devices, using standard user accounts on internal systems and turning off network device management interfaces.
Organizations are also being urged to maintain offline backups of data; create and exercise a cyber incident response plan and related communications plan; install updates for software, operating systems and firmware upon release; implement user training program and phishing exercises; and require multifactor authentication for services.
“The FBI, CISA, and Treasury strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks,” the notice reads.