CISA, South Korean Agencies Issue Joint Warning on North Korean Ransomware

the_burtons/Getty Images

The new cybersecurity advisory spotlights North Korean-backed actors targeting healthcare networks with ransomware.

A bilateral group of government agencies issued a Cybersecurity Advisory Monday highlighting ransomware attacks on digital networks and critical infrastructure, particularly against healthcare systems.

The U.S. Cybersecurity and Infrastructure Security Agency published the warning and examples of known malicious file names and hash lines that have been documented in ransomware attacks linked to North Korea state-sponsored actors.

CISA was joined by the National Security Agency, the Federal Bureau of Investigation and the Department of Health and Human Services, as well as the Republic of Korea’s Defense Security Agency and National Intelligence Service, in issuing the CSA.

“In addition to other tactics, these malicious cyber actors have been exploiting vulnerabilities, such as Log4Shell CVE-2021-44228, SMA100 Apache CVE-2021-20038, and/or TerraMaster OS CVE-2022-24990, to gain access and escalate privileges on victim’s networks,” the advisory notes. 

After gaining initial access, the ransomware actors use staged payloads—part of a message or data unit with stored information—with proprietary malware used to attack networks. The advisory also notes that the attackers usually demand ransom payments in cryptocurrency.

“The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments,” the advisory said. 

In addition to targeting healthcare networks, the agencies said that North Korean cyber actors also attacked Department of Defense and Defense Industrial Base information networks. CISA advises victims to not pay ransoms out of concern that it may not resolve the malware and could violate sanctions. 

Federal authorities and law enforcement have been aware of North Korea’s ransomware attacks for at least a year, particularly toward sensitive healthcare networks. The increasing volume and growing threat capacity prompted U.S. lawmakers to inquire into HHS’s capabilities to adequately defend their networks from ransomware and other cyber attacks. 

The U.S. also recently entered into a novel partnership with the United Kingdom to combat the Russian cybercrime gang Trickbot, which has also been known to attack healthcare digital networks.