Heimdal
Home > Cybersecurity News

North Korean Hackers Target the Healthcare Sector with Ransomware

The Ransomware Operations Are Meant to Bring Illegal Revenue to the North Korean State.

Last updated on July 27, 2023

article featured image

Contents:

U.S. and South Korean cybersecurity and intelligence agencies warned in a joint advisory that North Korean hackers are launching ransomware attacks against healthcare and critical infrastructure facilities to fund illicit activities.

The attacks, which demand cryptocurrency ransoms in exchange for recovering access to encrypted files, are mainly designed to support North Korea’s objectives.

In their joint advisory, the authorities claim that the attacks include…

…cyber operations targeting the United States and South Korea governments — specific targets include Department of Defense Information Networks and Defense Industrial Base member networks.

Source

The North Korean APT

For years, North Korean threat actors have been linked to espionage, financial theft, and cryptojacking operations, such as the WannaCry ransomware attack of 2017, which at that point was one of the most devastating cyber-attacks ever seen.

In 2022, North Korean hackers stole virtual assets estimated to be worth between $630 million and $1 billion, according to a new UN report, which said the increasingly sophisticated techniques are meant to gain access to digital networks involved in cyberfinance, as well as steal information from governments, companies, and individuals that could be useful in North Korea’s nuclear and ballistic missile programs.

As part of their attack chains, the hacker crew exploits known security flaws in Apache Log4j (CVE 2021-44228), SonicWall (CVE-2021-20038), and TerraMaster NAS appliances (CVE-2022-24990) in order to gain initial access, followed by reconnaissance, lateral movement, and ransomware deployment.

According to THN, threat actors have also been observed using off-the-shelf tools such as BitLocker, DeadBolt, ech0raix, Jigsaw, and YourRansom to encrypt files, as well as impersonating other ransomware groups. Inclusion of DeadBolt and ech0raix marks the first time government agencies have formally tied the ransomware strains to a specific adversary.

An alternative method to distribute the malware is via trojanized files of a messenger app called X-Popup in attacks targeting small and medium-size hospitals in South Korea.

Mitigations

Among the mitigations recommended in the advisory, the authorities mentioned:

  • Limit access to data by authenticating and encrypting connections, such as using public key infrastructure certificates in virtual private network (VPN) and transport layer security (TLS) connections.
  • Implement the principle of least privilege by using standard user accounts on internal systems instead of administrative accounts, which grant excessive system administration privileges.
  • Turn off weak or unnecessary network device management interfaces, such as Telnet, SSH, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled.
  • Protect stored data by masking the permanent account number (PAN) when displayed and rendering it unreadable when stored—through cryptography, for example.
  • Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer.
  • Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise.

For more relevant steps, you can find the full report here.

Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Can Heimdal® Help You?

The answer is Yes! Heimdal`s Ransomware Encryption Protection is universally compatible with any antivirus solution and 100% signature-free, ensuring superior detection and remediation of all types of ransomware.

A unified dashboard and agent ensure exceptional endpoint protection, monitoring, and response with all of our cybersecurity solutions.

If you liked this article, follow us on LinkedInTwitterFacebookYouTube, and Instagram for more cybersecurity news and topics.

Do you work for an NHS Trust? Heimdal is giving you free ransomware licenses to combat growing cyber attacks.

Get your free ransomware protection here.

Author Profile

Mihaela Popa

COMMUNICATIONS & PR OFFICER

Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

Related Articles

Locking Out Cybercriminals: Here’s How to Prevent Ransomware AttacksLazarus Group Is Responsible for $100 Million Cryptocurrency TheftHow Does Ransomware Spread? Here’s What You Need to KnowWhat Is Targeted Ransomware and How Does It WorkHow to Mitigate Ransomware?Ransomware Explained. What It Is and How It Works

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE
linkedin
youtube
facebook
x

resources

company

newsletter

© 2024 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V