Federal Agencies Issue Alert Regarding Maui Ransomware

On July 7, 2022, three federal agencies – the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of the Treasury – issued a joint alert regarding Maui Ransomware, which has been linked to ransomware attacks on healthcare and public health entities carried out by North Korean state-sponsored cyber actors.

These are the key recommendations of the alert:

  • Since at least May 2021, the FBI has noted multiple ransomware incidents involving Maui ransomware in the healthcare and public health sector, targeting health records, diagnostics services, imaging services, and intranet services.
  • The agencies also encourage healthcare and public health entities to take steps to prepare for ransomware:
    • Maintain offline backups and regularly test those backups.
    • Create, maintain, and exercise cyber incident response plans and associated communications.
    • Secure personally identifiable information and personal health information at collection points and encrypt that data at rest and in transit, in accordance with requirements under HIPAA.
    • Monitor mobile devices and Internet of Things (“IoT”) or “smart” devices that are behaving erratically.
    • Create and regularly review internal policies regarding the collection, storage, access, and monitoring of personally identifiable information and personal health information.
    • Deploy public key infrastructure and digital certificates to authenticate connections with the network, IoT devices, and electronic health records systems.
  • Healthcare and public health entities are also encouraged to follow best practices for preventing ransomware:
    • Secure and monitor remote desktop protocol and similar services.
    • Implement user training around phishing and similar topics.
    • Utilize multi-factor authentication, particularly for remote access, webmail, VPNs, critical systems, and systems that manage backups.
    • Utilize strong passwords and avoid reusing passwords for multiple accounts.
    • Require administrator credentials to install software.
    • Audit user accounts with administrative or elevated privileges.
    • Install and regularly update antivirus and anti-malware software.
    • Avoid use of public wifi networks.
    • Utilize an email banner to note messages originating outside of the organization.
    • Disable hyperlinks in received emails.

The agencies discourage affected entities from paying ransoms associated with the Maui ransomware for two reasons: (1) doing so has not traditionally guaranteed recovery of affected data, and (2) pursuant to a September 2021 advisory from the Treasury Department, because of existing sanctions on North Korea, it is possible that paying ransoms may pose sanctions risks.  Foley Hoag has issued two prior alerts on the sanctions risks posed by ransomware payments.

The agencies do, however, encourage all affected entities to report ransomware incidents to Federal authorities in order to assist the agencies with tracking, and responding to, these incidents.

Foley Hoag has comprehensive resources to help you protect against ransomware attacks, deal with an attack if you become a victim, and navigate potential sanctions risks:


Leave a Reply

Your email address will not be published. Required fields are marked *