On July 7, 2022, three federal agencies – the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of the Treasury – issued a joint alert regarding Maui Ransomware, which has been linked to ransomware attacks on healthcare and public health entities carried out by North Korean state-sponsored cyber actors.
These are the key recommendations of the alert:
- Since at least May 2021, the FBI has noted multiple ransomware incidents involving Maui ransomware in the healthcare and public health sector, targeting health records, diagnostics services, imaging services, and intranet services.
- The agencies also encourage healthcare and public health entities to take steps to prepare for ransomware:
- Maintain offline backups and regularly test those backups.
- Create, maintain, and exercise cyber incident response plans and associated communications.
- Secure personally identifiable information and personal health information at collection points and encrypt that data at rest and in transit, in accordance with requirements under HIPAA.
- Monitor mobile devices and Internet of Things (“IoT”) or “smart” devices that are behaving erratically.
- Create and regularly review internal policies regarding the collection, storage, access, and monitoring of personally identifiable information and personal health information.
- Deploy public key infrastructure and digital certificates to authenticate connections with the network, IoT devices, and electronic health records systems.
- Healthcare and public health entities are also encouraged to follow best practices for preventing ransomware:
- Secure and monitor remote desktop protocol and similar services.
- Implement user training around phishing and similar topics.
- Utilize multi-factor authentication, particularly for remote access, webmail, VPNs, critical systems, and systems that manage backups.
- Utilize strong passwords and avoid reusing passwords for multiple accounts.
- Require administrator credentials to install software.
- Audit user accounts with administrative or elevated privileges.
- Install and regularly update antivirus and anti-malware software.
- Avoid use of public wifi networks.
- Utilize an email banner to note messages originating outside of the organization.
- Disable hyperlinks in received emails.
The agencies discourage affected entities from paying ransoms associated with the Maui ransomware for two reasons: (1) doing so has not traditionally guaranteed recovery of affected data, and (2) pursuant to a September 2021 advisory from the Treasury Department, because of existing sanctions on North Korea, it is possible that paying ransoms may pose sanctions risks. Foley Hoag has issued two prior alerts on the sanctions risks posed by ransomware payments.
The agencies do, however, encourage all affected entities to report ransomware incidents to Federal authorities in order to assist the agencies with tracking, and responding to, these incidents.
Foley Hoag has comprehensive resources to help you protect against ransomware attacks, deal with an attack if you become a victim, and navigate potential sanctions risks:
- If you are a business, protect yourself against ransomware attacks by ensuring that your cyber security policies are updated and actively carried out, and build compliance steps into your incident response plan. Foley Hoag’s Cybersecurity Incident Response Team and the Privacy and Data Security Practice Group can advise on safeguarding company records, financial information, and other valuable information assets, and developing an effective incident response plan.
- If you are a service provider, contact the Foley Hoag Cybersecurity Incident Response Team and White Collar Crime & Government Investigations practice group to avoid facilitating a sanctions violation by developing and implementing a risk-based compliance program. Financial service providers should also be aware that there are certain compliance requirements related to ransomware payments under Financial Crimes Enforcement Network (“FinCEN”) regulations.
- If you are a victim, Foley Hoag’s Cybersecurity Incident Response Team can help you navigate your legal obligations after being attacked. Foley Hoag’s White Collar Crime & Government Investigations and Trade Sanctions & Export Controls practice group can advise on potential sanctions risks and assist with any communications with OFAC.