Government agencies from the United States and the Republic of Korea are highlighting new ransomware tactics they've seen, which they say are used to conceal the affiliation of Democratic People’s Republic of Korea hackers working to stage attacks against U.S. and South Korean healthcare organizations and critical infrastructure.

WHY IT MATTERS

The new cybersecurity advisory, Ransomware attacks on critical infrastructure fund DPRK malicious cyber activities, details both North Korea's historically and recently observed tactics, techniques and procedures and indicators of compromise.

The additional observed TTPs "span phases from acquiring and purchasing infrastructure to concealing DPRK affiliation," according to the United States National Security Agency, the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services, which issued yesterday's warning along with the Republic of Korea National Intelligence Service and ROK's Defense Security Agency,

"In some cases, DPRK actors have portrayed themselves as other ransomware groups, such as the REvil ransomware group," according to the agencies.

Agencies from both nations say that an unspecified amount of revenue from cryptocurrency ransoms supports DPRK's government cyber operations targeting the U.S, and South Korean governments, including defense information networks.

Of note, North Korean cyber actors may threaten to expose a private healthcare company’s proprietary data to competitors if ransoms are not paid.

The CSA provides the following key technical details, and shares mitigation strategies:

1. Acquire infrastructure – DPRK actors generate domains, personas and accounts and identify cryptocurrency services to conduct their ransomware operations. Actors procure infrastructure, IP addresses and domains with cryptocurrency generated through illicit cybercrime, such as ransomware and cryptocurrency theft.
2. Obfuscate identity – DPRK actors purposely obfuscate their involvement by operating with or under third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments. 
3. Purchase VPNs and VPSs – DPRK cyber actors will also use virtual private networks and virtual private servers or third-country IP addresses to appear to be from innocuous locations instead of from DPRK.
4. Gain access – Actors use various exploits of common vulnerabilities and exposures to gain access and escalate privileges on networks. Recently observed CVEs that actors used to gain access include remote code execution in the Apache Log4j software library (known as Log4Shell) and remote code execution in various SonicWall appliances.
5. Move laterally and discovery – After initial access, DPRK cyber actors use staged payloads with customized malware to perform reconnaissance activities, upload and download additional files and executables. The staged malware is also responsible for collecting victim information and sending it to the remote host controlled by the actors.
6. Employ various ransomware tools – Actors have used privately developed ransomware, such as Maui and H0lyGh0st and have also been observed using or possessing publicly available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk and YourRansom.
7. Demand ransom in cryptocurrency – DPRK cyber actors have been observed setting ransoms in bitcoin, and are known to communicate with victims via Proton Mail email accounts.

THE LARGER TREND

In July, CISA, FBI and the Treasury Department released a CSA warning that Maui malware was being used to target hospitals and public health agencies.

"Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations," officials said then. 

"North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services – including electronic health records services, diagnostics services, imaging services and intranet services."

Whether it is state-sponsored or independent cybercriminals willing to hop from one ransomware gang to another, hospital financial ratings are vulnerable, according to a recent assessment from Fitch Ratings.

Deployment of sophisticated cyber weapons that compromise healthcare delivery can affect a hospital's financial profile and "could negatively affect ratings," Fitch analysts said.

ON THE RECORD

"This CSA is supplementary to previous reports on malicious cyber actor activities involving DPRK ransomware campaigns – namely Maui and H0lyGh0st ransomware," the agencies said in the warning.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.