CISA issues alert with South Korean government about DPRK’s ransomware antics

CISA and other federal agencies were joined by the National Intelligence Service (NIS) and the Defense Security Agency of the Republic of Korea (ROK) in releasing the latest cybersecurity advisory in the US government’s ongoing #StopRansomware effort. This alert highlights continuous state-sponsored ransomware activities by the Democratic People’s Republic of Korea (DPRK) against organizations in the US healthcare sector and other vital infrastructure sectors. The agencies have reason to believe cryptocurrency ransom payments from such operations support DPRK’s “national-level priorities and objectives”.

“North Korea’s cyber program poses a growing espionage, theft, and attack threat,” the Annual Threat Assessment report in 2021 said. “North Korea has conducted cyber theft against financial institutions and cryptocurrency exchanges worldwide, potentially stealing hundreds of millions of dollars, probably to fund government priorities, such as its nuclear and missile programs.”

DPRK has a lengthening history of conducting ransomware attacks against organizations in both US and South Korean territories, some of which have become “mainstream” to fund their other cybercrime activities. Who can forget WannaCry in 2017, for example, the strain that attacked unpatched Windows systems that remained vulnerable against EternalBlue? The US and UK had recognized that North Korea, via the Lazarus Group, a nation-state advanced persistent threat (APT) group, was responsible for unleashing WannaCry to the world.

Then there’s Magniber ransomware, a strain distributed by the Magnitude exploit kit (EK) in late 2017. Magniber only targets systems located in South Korea, an attribute unique only to itself. This makes Magniber the first ransomware to home in on a single country.

In the last few years, two new ransomware strains from DPRK have surfaced: Maui and H0lyGh0st.

Andariel (aka Silent Chollima and Stonefly), the APT group believed to be behind Maui ransomware campaigns, has been attacking Healthcare and Public Health (HPH) Sector organizations since May 2021. Once it arrives on target networks, it encrypts servers responsible for record-keeping, diagnosing, imaging services, and others. As a result, Maui attack victims experience severe disruption for prolonged periods.

H0lyGh0st, like other current ransomware gangs, favors double-extortion tactics, maintains a leak site, and targets small and medium-sized enterprises (SMEs). Microsoft believed it has ties with PLUTONIUM, another North Korean APT, as the H0lyGh0st gang uses tools PLUTONIUM created. While it is financially motivated, it hides behind the “quest” to “close the gap between the rich and poor.”

DPRK ransomware has significantly altered the face of ransomware, tuning it up from a simple locker and then making it more disruptive, lucrative, and, in some cases, destructive. And it’s just one of the countries that allegedly profit from ransomware attacks to finance their agenda with no care for the real victims: the people directly affected by systems shutting down on them, stopping them from serving those who need attention and care the most.

When Conti ransomware hit Ireland’s Health Service Executive (HSE) in May 2021, everyone was caught off-guard, including the doctor we interviewed just days after the attack. He described how they were instructed not to touch the computers, the uncertainty that hung over them, and how he had to break the bad news to patients who had been waiting for surgery since 7:00 am that day to go home.

“I have to tell patients, sorry I can’t operate on you,” he recalled. “You’ve been fasting, you came a long distance, you rescheduled things to make time for me, maybe you have had to come off work. After all this I have to say sorry, I can’t see you.”

“I’m dealing with patients’ lives here. It’s not something you can take lightly. You either do it right or you do it wrong, and if you do it wrong you’re harming somebody.”

How to avoid ransomware

There is no doubt hospitals remain under a bullseye, and attackers can strike at any time. Thankfully, there are ways organizations can help reduce their risk of suffering from a ransomware attack.

  • Have an incident response (IR) plan. Organizations should accept the fact that a cyberattack is likely to affect them at some point, whether they’re the direct victim or part of a supply chain. An IR plan can direct your responders on what to do in the event of a cybersecurity attack. This should include restoring from backups, client outreach, and reporting to law enforcement among others.
  • Educate your staff. Awareness goes a long way, and everyone in the company has a responsibility to keep the organization’s network safe. Staff should be taught social engineering tactics and red flags of a system attack, so they can alert the right personnel quickly should an attack occur.
  • Patch as soon as you can. Many threat actors get into networks by exploiting unpatched vulnerabilities. Have a patching plan in place to ensure that your organization’s network is protected against the latest and most exploited weaknesses.
  • Backup your files. Backups have saved a lot of organizations after a ransomware attack—provided they work. When you make a plan, ensure you also have provisions for backup testing.
  • Get an EDR solution. Malwarebytes Endpoint Detection and Response offers built-in ransomware protection, 72-hour ransomware rollback, and zero-day ransomware protection. Try it here.
  • Learn more. If you want to read more about protecting your business from ransomware, take a look at our Ransomware Emergency Kit.

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.