Healthcare and public health organizations have been alerted to another ransomware threat––this time from the Democratic People’s Republic of Korea (DPRK).
The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) issued a joint cybersecurity advisory (CSA) highlighting the ransomware activity targeting healthcare and public health organizations. Namely, DPRK cyber actors are targeting South Korean and U.S. healthcare systems.
The CSA builds on previous reports on malicious cyber actor activities involving DPRK ransomware campaigns—namely Maui and H0lyGh0st ransomware. It also details historically and recently observed tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.
According to the CSA, the latest ransomware attacks from DPRK involve attacks traditionally observed in ransomware operations, though the TTPs also include acquiring and purchasing infrastructure to conceal DPRK affiliation. The cyber actors are generating domains, personas and accounts, and identifying cryptocurrency services to conduct ransomware activities. They are using cryptocurrency to purchase domains and conceal their identity.
“DPRK actors purposely obfuscate their involvement by operating with or under third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments,” the CSA warned.
The cyber actors are using various common vulnerabilities and exposures to gain access to and privileges in networks, including recently using remote code execution.
“Actors also likely spread malicious code through Trojanized files for ‘X-Popup,’ an open source messenger commonly used by employees of small and medium hospitals in South Korea,” the advisory stated.
Once they have access DPRK actors use malware to perform ransomware activities, download files and execute shell commands. They are also deploying known ransomware and tools for encryption. The DPRK actors have also portrayed themselves as other groups to conceal their identity, including the REvil ransomware group. They are known to demand ransom in cryptocurrency, such as bitcoin.
The CSA encouraged healthcare and public health organizations to backup all data and regularly test their backup and restoration processes. In addition, the CSA encouraged incident response plans and associated communications plans in the even of a cyber attack or ransomware attack.