DPRK Critical Infrastructure Ransomware Attacks

Overview

The Cybersecurity Advisory (CSA) has collaborated on the #StopRansomware campaign which is responsible for publishing advisories for various ransomware threat actors worldwide. One major ransomware case that has come up again is the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IoCs) of the DPRK, known as The Democratic People’s Republic of Korea, or the country of North Korea. These DPRK cyber actors are attempting to gain access to Healthcare and Public Health organizations by acquiring their records and taking over their systems with no intent to release them without payment in cryptocurrency.

Some distinguishable TTPs that have been traced to the ransomware attacks include:

• Acquire Infrastructure – threat actors generate domains, personas, and accounts and identify cryptocurrency services to conduct ransomware operations.
• Obfuscate Identity – threat actors will intentionally confuse and deny their abilities by infiltrating through a third-party affiliate to receive ransom payments.
• Purchase VPNs and VPSs – Cyber actors will use Virtual Private Networks and Virtual Private Sectors to appear from other locations outside of the DPRK.
• Gain Access – Actors will use CVEs to gain access and perform privileged escalation attacks on networks. Known CVEs related to the DPRK recent attacks are CVE-2021-44228, CVE-2021-20038, and CVE-2022-24990
• Move Laterally and Discovery – Once in the network, threat actors use staged payloads with malware to download more files, execute shell commands, and more. This also gives them the opportunity to steal victim information and send it to the remote host under their control.
• Employ Various Ransomware Tools – Threat actors have privately created ransomware, Maui and H0lyGh0st. They also have been observed using multiple encryption tools, and posing as other ransomware groups
• Demand Ransom in Cryptocurrency – Threat actors have been leaving ransoms in bitcoin currency. This could be a one-on-one threat to a victim through an email or set to a healthcare organization, threatening to expose a company’s data to competitors if ransoms are not paid.

Mitigations

Since Healthcare and Public Health organizations have been the initial target, authoring agencies have advised all organizations to do some of the following:

• Least privilege when it comes to accessing sensitive data, and implementing two-factor authentication and encryption.
• Limit access to data by implementing a VPN with any network services.
• Turn off any weak or unnecessary network device management interfaces, including Telnet, SSH, and HTTP for WAN’s and ensure they are secured with strong passwords and encryption.
• Secure the collection and storage of any PII. This also includes processing PII internally and externally.
• Implement monitoring tools to observe when IoT devices start to show signs of compromise

Separately, but still important, it is crucial to maintain backups of any data and regularly test these backups within your environment. A simple way to stop threat actors from infiltrating through devices or software is to regularly patch those systems. When a new update is released, or end-of-life is announced, it is important to install updates. See the updates on this ransomware attack from CISA for more ways to protect your organization, as well as examples for each of the TTP’s listed above.

Whether your organization is in the health sector or not, it is important to be aware and up to date on current ransomware attacks, their tactics, techniques, and procedures that could be floating around your environment.

Sources

https://www.cisa.gov/uscert/ncas/alerts/aa23-040a – CISA Update
https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF – PDF for Sharing
https://www.infosecurity-magazine.com/news/us-warns-critical-sectors-north/ – InfoSecurity update
https://www.cisa.gov/uscert/ncas/alerts/aa22-187a – July 2022 Update CISA