U.S., South Korea Partner on Stopping Ransomware That Targets Healthcare Sector
By Jonathan Springston, Editor, Relias Media
Four U.S. government agencies and South Korean intelligence officials released a joint advisory regarding ongoing ransomware activity that they believe originates in North Korea and targets healthcare entities in the United States and South Korea.
The advisory alleges bad actors in North Korea are using third-party intermediaries, creating seemingly harmless but fake virtual networks, and exploiting system vulnerabilities via remote codes to hold hostage critical and sensitive information in exchange for ransom.
The agencies offered several tips to prevent such attacks. These mitigation tactics include the common and practical, such as maintaining an isolated backup of data, using strong passwords, offering continuing education to staff, and updating software and firmware regularly. But the advisory goes deeper, advising organizations to implement and enforce multilayer network segmentation, turn off weak or unnecessary network device management interfaces, and use encrypted connections.
If a ransomware attack occurs, the advisory suggests organizations do not agree to pay the ransom, as that does not guarantee the bad actors will release stolen information. Instead, administrators should contact the FBI.
“This interagency report identifies the hybrid criminal and national security cyberthreat posed directly to U.S. healthcare by the North Korean government. With assistance from cooperating U.S. hospital ransomware victims, the FBI last July identified the North Korean Maui ransomware threat cited in this report. The North Korean government is using criminal ransomware proceeds to fund other illicit activities of the regime,” John Riggi, national advisor for cybersecurity and risk for the American Hospital Association explained.
Since the COVID-19 pandemic started, cyberattacks on healthcare entities have become more common. In December 2021, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center sounded the alarm about a vulnerability within “Log4j,” which is found in many common cloud applications and enterprise software. A security breach at a large healthcare system in 2022 might have been the result of system vulnerabilities caused through a series of recent mergers and acquisitions.
Still, some agencies have reported progress and even offered potential curative solutions for those who have been a victim of cybercrime. For example, in January 2023, the U.S. Department of Justice detailed its disruption campaign against the Hive ransomware group that has targeted more than 1,500 victims globally, including hospitals. The department estimated these operations averted an estimated $130 million in ransom demands.
Earlier this month, the Cybersecurity and Infrastructure Security Agency issued guidance to VMware ESXi server users regarding the ESXiArgs ransomware campaign. This guidance includes a recovery script that organizations can use to try to recover some data that was stolen by bad actors behind the ESXiArgs ransomware campaign.
For more on this and related subjects, be sure to read the latest issues of Healthcare Risk Management.