The U.S. government said Wednesday that North Korea is behind a recent strain of ransomware cyberattacks on hospitals and other health care facilities.
The warning is the starkest alert to date that North Korea, which the U.S. has long alleged uses its hackers to raise money for state programs like its nuclear weapons development, has turned to locking up essential American services as a new way to generate money for the state.
In its joint warning, the FBI, Treasury Department and Cybersecurity and Infrastructure Security Agency said North Korean government hackers have been using a strain of ransomware called Maui to infect American hospitals since May 2021.
“North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services,” the agencies said.
Ransomware, in which hackers encrypt a victim’s computer networks and demand a key to make them usable again, has become a lucrative criminal enterprise in recent years. Hackers behind it made at least $731 million last year, according to an estimate from cybersecurity company Chainalysis.
U.S. health care facilities are frequent targets of ransomware attacks. There is one known incident in which an American has allegedly died because of a ransomware attack: In 2020, an Alabama mother claimed in a lawsuit that her newborn died because of poor care after her hospital was hacked.
The North Korean mission at the United Nations didn’t immediately respond to an emailed request for comment.
Little is public about the victims of North Korea’s Maui ransomware. Unlike many ransomware groups, Maui’s operators don’t host a public website to name-and-shame victims to encourage them to pay.
Allan Liska, a ransomware analyst at the cybersecurity company Recorded Future, said he’s learned through confidential industry conversations of “about a dozen” clinics, hospitals and urgent care facilities that have been victims of Maui, but he couldn’t name them publicly.
Maui’s operators appear to follow the same tactics as most of the major criminal ransomware gangs, Liska said. Those tend to be composed of members across Russia and Eastern Europe. There are some indications of gangs having tacit approval from their country’s government.
Major North Korean hacking operations act with direct supervision, said John Hultquist, the vice president of intelligence analysis at the cybersecurity firm Mandiant.
“They’re essentially trying to raise money. They’re funding the regime. That’s their job,” Hultquist said.
Western government officials and cybersecurity workers have said North Korea was behind a number of high-profile attacks for large sums of money in recent years. A major North Korean hacking unit took nearly $400 million in cryptocurrency last year, researchers found, and the Treasury Department said North Korean hackers stole $600 million in an attack earlier this year on the game Axie Infinity.
“Unfortunately, ransomware actors have recognized the value of targeting health care, because they pay out,” Hultquist said.
“There are plenty of them that lack the ethics that could otherwise stop them,” he said. “I ultimately think the North Koreans are unconcerned about any kind of retribution.”
