Maui ransomware has targeted healthcare and public health organizations since May 2021. Both the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have warned that state-sponsored cybercriminals have been using Maui to target U.S. healthcare organizations with increased frequency.
The CISA encourages victims to report any suspected incidents of Maui ransomware and never to pay the ransom under any circumstances. According to the FBI, hackers are targeting healthcare organizations because they’re soft targets that are more likely to pay the ransom. After all, these organizations provide services critical to human life and health, and it’s in their best interest to quickly get essential IT systems back up and running.
Join us as we discover what Maui ransomware is, and learn what you can do to defend yourself from Maui. Atlantic.Net provides world-class HIPAA-compliant hosting services to healthcare businesses. We know the everyday risks U.S. healthcare companies face from hackers, and our HIPAA hosting services will protect your environment to the highest standards.
What Is Maui Ransomware?
Maui may not have been grabbing the headlines in recent months. However, it is still a severe threat to U.S. healthcare. Although the primary attack vector is unknown, it is understood that Maui is manually executed, and even the targeted files appear to be manually chosen.
As with all ransomware, the purpose of Maui is to encrypt sensitive files using unbreakable encryption, then demand a ransom payment (usually in bitcoin) from the victim before the “unlock’ key is given. Strangely, there is no ransomware note left by the hackers on a compromised server.
Maui uses a three-layer encryption technique; Advanced Encryption Standard (AES), Rivest–Shamir–Adleman (RSA), and XOR encryption are used to encrypt target files; each file has a different encryption key. RSA encryption is used to encrypt the AES Key, and XOR encryption is used to encrypt the RSA public key. Each XOR is unique because its generated from hard drive information (\\.\PhysicalDrive0). As a result, breaking the encryption is impossible.
Who Is Behind Maui Ransomware?
Several reports have surfaced that suggest the hacking group behind Maui is Andariel, a well-known group that usually targets South Korean companies in media, construction, manufacturing, and network services. In addition, it is believed they perform espionage, data theft, data wiping, and operations to raise revenues for state actors.
The U.S. State Department sees Andariel as a severe threat to national security. They have even included the hacking group on a $10 million reward program for information leading to the arrest of the hackers.
Why Is Healthcare Being Targeted?
U.S. healthcare is a financially lucrative industry that’s often perceived to have limited security capabilities. Healthcare organizations hold detailed sensitive information on patients, which is highly prized by cybercriminals. In addition, Healthcare is a fast-paced industry, and hackers believe they are more likely to pay the ransom to get systems back up and running.
Maui has targeted electronic healthcare records (EHR), diagnostics services, imaging services, and intranet platforms. As a result, victims have reported prolonged outages due to Maul.
What Is the Impact of Maui Ransomware?
Due to Maui’s manual execution, the hackers target the most critical assets on the victim’s network. The number of healthcare institutions targeted by Maui is unknown, but at least $500,000 was recovered by the U.S. Department of Justice in one major incident. One known victim is the District of Kansas Medical Center, who paid approximately $100,000 in Bitcoin to regain access to file servers offline for over a week due to Maui.
How Can You Protect Yourself?
The FBI, CISA, and the U.S. Treasury have urged healthcare organizations to take immediate action to reduce the risk of Maui ransomware. One of the best ways to meet this expectation is to make sure best security practices are adopted, and a compliant hosting platform like Atlantic.Net is utilized. This can significantly help to reduce the impact of ransomware and other malware attacks.
How to reduce the risk of ransomware:
- Encrypt Network Traffic – Limit access to IT systems by using multifactor PKI authentication and digital certificates to protect data transfer from healthcare networks, IoT medical devices, and electronic medical records.
- Enforce Strict Access Controls – Segregate all user access and follow the principle of least privilege. For example, disable pure admin accounts and deploy read-only access as standard.
- Disabled Unnecessary OS Features – Operating Systems should be built to be lean and only include the required applications to function. Containers make this process super simple, but if you are still using traditional servers – disable services like Telnet, SSH, and HTTP by default.
- Secure Protected Health Information – Encrypt PHI at rest and in transit using TLS or TPS. Protect the PHI platform with firewalls, web application firewalls, and detailed SIEM logging platforms.
- Enforce Obfuscation – Encrypt and obfuscate sensitive data such as social security numbers, addresses, phone numbers, or financial records.
- Follow HIPAA Compliance – Ensure that all IT systems that manage or process Protected Health Information meet and exceed the physical, technical and administrative requirements of HIPAA-Compliance.
- Monitor Everything – Detailed logging and automated alerting protect the network perimeter from unexpected access or state changes. Any variation from normal should trigger an alert for manual intervention.
- Patch Management – It is essential to patch all servers and applications regularly. Patching is one of the best ways to reduce the risk of ransomware effectively.
- Protect Remote Access – Remote access via SSH or RDP over the public internet is not recommended. Instead, route traffic via a VPN or private internet gateway to access PHI systems. If remote access has to be done over the internet, secure it with super solid passwords and MFA.
How to reduce the impact of ransomware:
- Test Your Backup Strategy – Ensure that all critical PHI servers are backed up regularly with an encrypted backup schedule. In addition, data should be located at a secondary location to uphold data integrity.
- Create a Cyber Incident Response Plan – Organizations should ensure an incident response and communications plan is created that includes the response and notification procedures for ransomware or data breach incidents.
- Test Your Disaster Recovery Capability – Healthcare organizations must have Disaster capabilities to ensure that access to PHI is uninterrupted. The best way to achieve this is through a tried and tested DR strategy.
- Training – Training employees is essential, and additional training should be offered to high-risk employees such as executives, finance workers, and IT professionals.
How Can Atlantic.Net Help?
Atlantic.Net has over 30 years of experience providing high-end business solutions built to provide secure and compliant solutions. As a result, our platform gives our customers the necessary tools to help combat cybersecurity issues.
As a healthcare provider, you must consider a fully audited HIPAA-compliant server infrastructure for your organization. Contact our sales team today to learn more about our solutions. Get In Touch Today!