North Korean Hackers Targeting Healthcare with Ransomware to Fund its Operations

State-backed hackers from North Korea are conducting ransomware attacks against healthcare and critical infrastructure facilities to fund illicit activities, U.S. and South Korean cybersecurity and intelligence agencies warned in a joint advisory.

The attacks, which demand cryptocurrency ransoms in exchange for recovering access to encrypted files, are designed to support North Korea’s national-level priorities and objectives.

This includes “cyber operations targeting the United States and South Korea governments — specific targets include Department of Defense Information Networks and Defense Industrial Base member networks,” the authorities said.

Threat actors with North Korea have been linked to espionage, financial theft, and cryptojacking operations for years, including the infamous WannaCry ransomware attacks of 2017 that infected hundreds of thousands of machines located in over 150 countries.

Since then, North Korean nation-state crews have dabbled in multiple ransomware strains such as VHD, Maui, and H0lyGh0st to generate a steady stream of illegal revenues for the sanctions-hit regime.

Besides procuring its infrastructure through cryptocurrency obtained via its criminal activities, the adversary is known to create fake personas, function under third-party foreign affiliate identities, employ intermediaries, and utilize VPNs to conceal its origins.

Attack chains mounted by the hacking crew entail the exploitation of known security flaws in Apache Log4j, SonicWall, and TerraMaster NAS appliances (e.g., CVE 2021-44228, CVE-2021-20038, and CVE-2022-24990) to gain initial access, following it up by reconnaissance, lateral movement, and ransomware deployment.

In addition to using privately developed ransomware, the actors have been observed leveraging off-the-shelf tools like BitLocker, DeadBolt, ech0raix, Jigsaw, and YourRansom for encrypting files, not to mention even impersonating other ransomware groups such as REvil.

The inclusion of DeadBolt and ech0raix is notable as it marks the first time government agencies have formally tied the ransomware strains, which are notable for repeatedly targeting QNAP NAS devices, to a specific adversarial group.

One of the alternative methods used to distribute the malware is via trojanized files of a messenger app called X-Popup in attacks targeting small and medium-size hospitals in South Korea.

As mitigations, the agencies recommend organizations to implement the principle of least privilege, disable unnecessary network device management interfaces, enforce multi-layer network segmentation, require phishing-resistant authentication controls, and maintain periodic data backups.

The alert comes as a new report from the United Nations found that North Korean hackers stole record-breaking virtual assets estimated to be worth between $630 million and more than $1 billion in 2022.

The report, seen by the Associated Press, said the threat actors used increasingly sophisticated techniques to gain access to digital networks involved in cyberfinance, and to steal information from governments, companies, and individuals that could be useful in North Korea’s nuclear and ballistic missile programs.

It further called out Kimsuky, Lazarus Group, and Andariel, which are all part of the Reconnaissance General Bureau (RGB), for continuing to target victims with the goal of creating revenue and soliciting information of value to the hermit kingdom.