CISA, the FBI and the U.S. Treasury have released a joint Cybersecurity Advisory (CSA) about North Korean-sponsored attackers using Maui ransomware to target the healthcare industry. The CSA can be found here. We urge healthcare organizations to quickly act now to protect their systems.
Every connected device increases the attack surface. Healthcare organizations cannot afford to only do the minimum to secure their networks - especially when patient safety is at stake. Hospitals and healthcare organizations rely on all kinds of connected devices to operate and they don't always know exactly what's connecting to their networks. This makes it hard to immediately understand what's at risk when these ransomware alerts are issued.
In addition, healthcare organizations often rely on older, more vulnerable legacy devices and equipment that have a long lifespan and can’t be taken out of service. These legacy devices (such as those running outdated Windows 7/8/10 operating systems) often represent about 20% of devices or more in a network.
The Maui Ransomware is more challenging to detect than many other types of ransomware because of the way threat actors execute these operations remotely. With help from our customers, we’ve validated that no communications from their devices to North Korea exist, other than DNS traffic from guest devices. However, this is a wake up call for healthcare organizations to shut down all communications to North Korea so we are protected from future breaches.
Here are some immediate steps to take based on this Maui Ransomware advisory.
Monitor device communications flows
Track communication to certain countries like Russia and N. Korea and understand the web reputation of the sites these devices are going to. Medical devices should not have a legitimate business need to be communicating with certain countries.
Healthcare organizations can do this using the Ordr traffic analysis tool.
Additionally, similar to our Russian communications report, and the detailed analysis we performed, Ordr will be delivering a North Korean communications report. Our customers can generate this report when they need the data, or schedule it daily or weekly.
Monitor privileged communications
Healthcare organizations need to monitor devices using privileged protocols, for example, SMBv1 and RDP protocols. Security teams need to scrutinize the usage of these protocols and shut them down if they are not required. These protocols come into play for device manufacturers to perform maintenance, but access should be enabled only for the duration of services needed.
Ordr tracks connected devices using these protocols continuously today. Our customers can get details about these devices with one click on our dashboard.
Monitor all remote execution activities
The Maui ransomware is designed for manual execution by a remote actor via a command-line interface, using it to target specific files on the infected machine for encryption. So, it is imperative to watch all the remote execution commands like telnet/rsh, rcp, rlogin etc., and track such activities carefully. The Ordr platform allows you to identify all devices using these methods to make sure they are all open and available only for a very few select devices and shut this down on all other devices if the need that opened this up has been fulfilled.
Monitor all user login attempts
It is imperative to monitor closely all windows workstations and servers that serve clinical needs and work closely with medical devices. The Ordr platform provides a list of all logins attempts on any windows machine to track and identify unwanted logins. It is advised to clean up the numerous unnecessary accounts on various machines in clinical setting using a report from Ordr, following the principle of least privilege.
Monitor for IoC files
Healthcare organizations can detect files that are used by the Maui ransomware threat actors, for example maui.exe/maui.log/maui.key and its variations as well as malicious file indicators. Customers using Ordr can identify the presence of these files from the software inventory that is extracted from devices.
Baseline all connected devices
The initial infection (i.e., entry point) for ransomware may be challenging to detect. Therefore, it is important to focus on other stages of the kill chain, for example lateral movement. Healthcare organizations can baseline connected devices using Ordr to ensure they are not deviating from their baseline of “normal behavior”. Whenever ransomware takes over one of these devices, there is lateral movement, and this baselining will immediately detect abnormal internal communications.
We hope the above guidance helps all healthcare organizations. Read our ransomware best practices and ensure that you are keeping your connected devices secure. Due to patient care disruption, more and more healthcare organizations are resorting to quickly paying ransom, as they cannot even afford to wait for systems to recover on their own through backups. However, note that paying a ransom does not guarantee data will be recovered. Additionally, lightning does hit twice in the case of ransomware victims, i.e., organizations that have paid ransom have been targeted again.
Finally, if you need assistance, Ordr and our team are here to help. Please reach out to us at firstname.lastname@example.org.