Executive Summary
Ransomware gangs continue to wreak havoc on many sectors, including healthcare. With the goal of financial gain, threat actors deploy ransomware on healthcare organizations’ machines through malicious links, malvertising, and phishing emails. With evolving tactics and techniques, it can be difficult for cyber security professionals to keep up. Not to mention, even the most inexperienced cybercriminal with little technical skill can deploy a ransomware attack.
Hospitals and healthcare organizations across the country become victims of ransomware attacks daily. Outdated software, exposed endpoints, and lack of employee security training make healthcare organizations extremely vulnerable to cyber attacks.
Unfortunately, threat actors know just how vulnerable the healthcare sector has become and they’re taking advantage of every opportunity to attack. Recently, the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency (CISA), the Department of Treasury and the Financial Crime Enforcement Network (FinCEN) issued joint warnings for Maui and MedusaLocker ransomware. Both ransomwares are currently responsible for several cyber attacks within the healthcare sector.
North Korean nation-sate threat actors are believed to be behind Maui ransomware, while MedusaLocker has yet to be attributed to a specific threat actor or group. Let’s take a look at Maui and MedusaLocker’s tactics and techniques, as well as how the healthcare sector can protect themselves from ransomware.
Emerging in 2019, MedusaLocker has infected and encrypted systems across multiple sectors, with specific attention to the healthcare sector. MedusaLocker is a ransomware-as-a-service operation (RaaS) and splits payments with affiliates. The affiliates typically receive 55% to 60% of the proceeds.
RaaS has become more popular and powerful as malware campaigns evolve. It becomes even more powerful when ransomware developers provide their ransomware to third parties (affiliates). In return, the affiliates cause further infections or find potential infection vectors. If an affiliate is accepted into the ransomware operation, they receive monetary compensation after they successfully infect an organization.
During 2019, MedusaLocker took advantage of the chaos surrounding the COVID-19 pandemic and launched phishing and spam email campaigns to gain initial access. As of May 2022, the threat actors behind the ransomware are relying on vulnerabilities in Remote Desktop Protocol (RDP) to gain access to their victim’s networks. After encrypting data, MedusaLocker leaves behind a ransom note with clear instructions in the folders containing an encrypted file. The victims are directed to pay a ransom to a specific Bitcoin wallet address.
To gain access to victim’s networks, MedusaLocker uses phishing and spam email campaigns, attaching the ransomware directly to the email. To avoid security tools, MedusaLocker restarts the targeted machine in safe mode before execution – avoiding encrypting executable files. Avoiding the executable files is more than likely done to avoid rendering the system unusable for paying the ransom.
MedusaLocker’s infections start with two files: qzy.bat and qzy.txt. The qzy.bat file is a batch file, while the qzy.txt is a PowerShell script. According to Cybereason, the batch file creates persistence via a Windows Service. The Windows Service does the following:
Image 1: MedusaLocker Batch File
Source: Cybereason
Once the machine restarts, the PowerShell script runs and the created service executes. Before deploying, MedusaLocker checks to see if the following mutex exists on their targeted machine: “{8761ABBD-7F85-42EE-B272-A76179687C63}”. If the mutex is present MedusaLocker will stop its execution. MedusaLocker achieves privilege escalation by using a UAC bypass technique. This technique allows the ransomware to run with escalated privileges, enabling it to carry out administrative operations. Persistence is created by “svhost” – a scheduled task that executes every 15 minutes.
MedusaLocker is known for deleting backups and preventing organizations from recovering any data after infection. By deleting backups, organizations feel as if they are forced to pay the ransom, feeling as if they have no other options. Additionally, a variant of MedusaLocker called AKO, was seen blackmailing victims, threatening to release sensitive data – a method that has gained popularity amongst ransomware gangs. These kinds of threats have also been found in some of MedusaLocker’s ransom notes. MedusaLocker’s ransom demands appear to depend on the victim’s financial status.
Image 2: A MedusaLocker Ransom Note
Source: Cybereason
As we stated previously, North Korean state-sponsored threat actors are believed to be behind Maui ransomware. According to CISA, the FBI observed and responded to several cyber security incidents within the healthcare sector due to Maui. The incidents included the encryption of servers responsible for providing healthcare services (diagnostic services, imaging services, intranet services, etc.).
While CISA recently released a warning about Maui, the ransomware has been infecting servers since May 2021. During that time, Maui infected the servers of a medical center in the District of Kansas. The threat actors ended up receiving $100,000 in Bitcoin to decrypt and recover encrypted files. The medical center notified the FBI and they were able to trace the medical center’s payment to China-based money launderers.
As of 2022, the threat actors behind Maui are still attacking the healthcare sector. In April 2022, one of their seized cryptocurrency accounts received a $120,000 payment. The account was identified by the Kansas medical center and the payment was confirmed to be related to a different medical center located in Colorado. The two cryptocurrency accounts belonging to the Maui ransomware operators were seized by the FBI in May 2022. By working with law enforcement, both health care facilities were able to recover their funds.
According to CISA, North Korean state-sponsored threat actors have been deploying Maui ransomware within the healthcare sector since May 2021. Some of the incidents disrupted operations and services provided by the targeted healthcare organizations.
The initial points of access for the attacks are unknown, but Stairwell’s Threat Report on the ransomware shows that Maui is an encryption binary (maui.exe) and was designed for manual encryption – allowing the threat actors to pick and choose their targets. Most ransomware variants mass deploy psexec, a group policy object, or an inactive Directory. The operators behind Maui are clearly more targeted in their approach and are more selective about the files they encrypt.
According to Stairwell, Maui doesn’t rely on external infrastructure to receive encryption keys. Instead, the ransomware creates three files in the same directory it was executed from (unless a custom log directory is passed using the -p command line argument) containing the results of its execution. It’s likely that the files are exfiltrated by the ransomware operators and processed via private tooling to generate associated decryption tooling.
As we stated, Maui has a targeted approach and evidence of this can be seen in the decompiled code of the programs. In the below function call taken from IDA Pro, are the usage options for running this program via command prompt. It appears that the path of the file or folder to be encrypted is required, while the other switching options are not. These options allow for changing the log folder destination from the default current directory, also the thread count to be changed (default 1), and an option to “self melt” (default no).
Image 3: Maui Ransomware Function Call
Source: Avertium's Cyber Threat Intelligence Team
Also, there was another option that wasn’t seen during the initial CLI message regarding program usage. The option allows the threat actor to append the public key information in the event of a read error.
Image 4: Threat Actor Appending Public Key
Source: Avertium's Cyber Threat Intelligence Team
Every file encrypted by Maui contains a customer header, which allows the ransomware to programmatically identify already encrypted files. The files original path and an encrypted copy of the AES key can be found in the header. While encrypting files, Maui outputs status information back to the ransomware operators.
In October 2021, Avertium published a Threat Intelligence Report regarding the top 5 cyber threats in the healthcare sector. Ransomware ranked as the most common attack vector for the sector. Between July 1 and September 30, 2021, researchers found 68 healthcare ransomware attacks globally. The United States was home to 60 percent of those attacks, with France, Brazil, Thailand, Australia, and Italy following. Medical clinics are the most frequently attacked sub-industry for ransomware attacks, with several ransomware gangs taking center stage (DoppelPaymer, Pysa, CLoP, Groove, etc.).
We can now add MedusaLocker and Maui ransomware to the long list of ransomware threatening to disrupt the healthcare sector. Some ransomware gangs choose not to focus on attacking critical infrastructure like healthcare. However, a lot of ransomware gangs are pushing what little moral compass they have to the side and are happy to attack the sector if it means a big pay day.
In 2019, Springhill Medical Center was attacked by a ransomware gang and that attack led to a baby’s death. The baby was born with its umbilical cord wrapped around his neck, depriving him of oxygen during delivery. A heartrate monitor usually detects and informs hospital staff of life-threatening situations, but the monitor never alerted staff due to its system being compromised by a ransomware attack.
The doctor delivering the baby stated that she would have delivered her via cesarean section had she been able to see the heart monitor’s readout. She stated that the situation was preventable. As a result, the baby was born with severe brain damage and died nine months later. The hospital had to defend themselves in a trial related to the attack in September 2021. Ryuk was suspected to be behind the attack, but that has yet to be confirmed.
From the instances in this report, it’s evident that ransomware is a major threat to the healthcare sector, yet the sector still is not implementing security best practices. Ransomware attacks within the healthcare sector will not only cost organizations funds, but they can and have cost people their lives. Following basic cyber security best practices could save a life and keep finances safe:
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium offers the following services to keep your organization safe:
Avertium and CISA recommend the following for MedusaLocker ransomware:
Avertium and CISA recommend the following for Maui ransomware:
MedusaLocker
Maui
MedusaLocker
Hashes
IP Addresses
Maui
Hashes
File Names
North Korea Attacks Health Sector With Maui Ransomware (govtech.com)
Cybereason vs. MedusaLocker Ransomware
FBI seized $500K worth of bitcoin obtained from Maui ransomware attacksSecurity Affairs
MedusaLocker Ransomware - AlienVault - Open Threat Exchange
Ransomware: In the Healthcare Sector (cisecurity.org)
Report: Maui ransomware (stairwell.com)
Cybersecurity Best Practices [Checklist] (welchallyn.com)
The Top 5 Cyber Threats in the Healthcare Industry (avertium.com)
How Affiliates Use Ransomware as a Service (safeguardcyber.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.