A joint Cybersecurity Advisory (CSA) has revealed that the Democratic People's Republic of Korea (DPRK) is doing its best to become the New Kids on the Block (NKOTB) of ransomware.
A Feb. 9, 2023, alert issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) provides an overview of the DPRK's state-sponsored ransomware and "updates the July 6, 2022, joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector. This advisory highlights TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors' use of cryptocurrency to demand ransoms."
The CSA provides updates to earlier alerts of malicious cyber actor activities involving DPRK ransomware campaigns—namely Maui and H0lyGh0st ransomware. The authoring agencies are issuing this advisory to highlight additional observed TTPs that DPRK cyber actors are using to conduct ransomware attacks targeting South Korean and U.S. healthcare systems.
The tactics, techniques, and procedures (TTPs) being deployed by the DPRK range from acquiring and purchasing infrastructure to concealing DPRK affiliation. Specifically, the alert says, the efforts are attempting to:
- Acquire infrastructure. DPRK actors generate domains, personas, and accounts, and identify cryptocurrency services to conduct their ransomware operations. Actors procure infrastructure, IP addresses, and domains with cryptocurrency generated through illicit cybercrime, such as ransomware and cryptocurrency theft.
- Obfuscate identity. DPRK actors purposely obfuscate their involvement by operating with or under third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments.
- Purchase VPNs and VPSs. DPRK cyber actors will also use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to appear to be from innocuous locations instead of from DPRK.
- Gain access. Actors use various exploits of common vulnerabilities and exposures (CVE) to gain access and escalate privileges on networks. Recently observed CVEs that actors used to gain access include remote code execution in the Apache Log4j software library (known as Log4Shell) and remote code execution in unpatched SonicWall SMA 100 appliances.
- Move laterally and discovery. After initial access, DPRK cyber actors use staged payloads with customized malware to perform reconnaissance activities, upload and download additional files and executables, and execute shell commands. The staged malware is also responsible for collecting victim information and sending it to the remote host controlled by the actors.
- Employ various ransomware tools. Actors have used privately developed ransomware, such as Maui and H0lyGh0st. Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom. In some cases, DPRK actors have portrayed themselves as other ransomware groups, such as the REvil ransomware group.
- Demand ransom in cryptocurrency. DPRK cyber actors have been observed setting ransoms in Bitcoin. Actors are known to communicate with victims via Proton Mail email accounts. For private companies in the healthcare sector, actors may threaten to expose a company's proprietary data to competitors if ransoms are not paid.
The joint CSA was issued by several agencies, including the United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), CISA, the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA).
Read the full alert for recommended ransomware mitigations and incident response procedures.