{"id":25375,"date":"2022-08-09T00:31:51","date_gmt":"2022-08-09T00:31:51","guid":{"rendered":"http:\/\/egrowonline.com\/?p=25375"},"modified":"2022-08-09T00:31:51","modified_gmt":"2022-08-09T00:31:51","slug":"ooda-loop-north-korea-tries-ransomware-again","status":"publish","type":"post","link":"http:\/\/egrowonline.com\/?p=25375","title":{"rendered":"OODA Loop &#8211; North Korea Tries Ransomware\u2026 Again"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<aside class=\"mashsb-container mashsb-main mashsb-stretched\" \/>\n<p style=\"font-weight: 400\">The Department of Homeland Security recently published a joint <a target=\"_blank\" href=\"http:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa22-187a\" rel=\"noopener\">advisory<\/a> along with the Federal Bureau of Investigation (FBI) and the Department of Treasury on suspected North Korean state-sponsored ransomware campaign implementing the Maui malware. The campaign has been targeting healthcare-related organizations for the purposes of coercing compromised victims into paying ransoms.\u00a0 These operations have successfully disrupted some important healthcare functionality such as access to health records and imagining services. Though the advisory did not relate if and how many victims paid the requested ransoms, recent FBI operations recovered approximately <a target=\"_blank\" href=\"http:\/\/www.bleepingcomputer.com\/news\/security\/fbi-recovers-500-000-healthcare-orgs-paid-to-maui-ransomware\/\" rel=\"noopener\">USD 500,000<\/a> in Bitcoin that the extortionists had received.\u00a0 While these actions have proven successful, it does not appear to have thwarted North Korean efforts in this capacity, who may turn to other global healthcare targets in an effort to circumvent such robust law enforcement responses.<\/p>\n<p style=\"font-weight: 400\">This is not the first time North Korea has engaged in ransomware activities.\u00a0 In 2017, North Korea actors executed the <a target=\"_blank\" href=\"http:\/\/www.justice.gov\/opa\/pr\/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and\" rel=\"noopener\">WannaCry<\/a> ransomware, a global campaign that <a target=\"_blank\" href=\"http:\/\/www.cbsnews.com\/news\/wannacry-ransomware-attacks-wannacry-virus-losses\/\" rel=\"noopener\">proliferated<\/a> to 150 countries, and inflicting damages as high as USD 4 billion.\u00a0 However, despite the magnitude of the infections, the North Korea actors did not garner a significant amount in ransom payments, especially by the standards set by groups like LockBit and Conti.\u00a0 <a target=\"_blank\" href=\"https:\/\/theconversation.com\/how-wannacry-caused-global-panic-but-failed-to-turn-much-of-a-profit-77740\" rel=\"noopener\">Two reasons<\/a> have been cited for why despite the wide propagation of the malware, it did not yield the results one might have thought. First, WannaCry spread like a worm, independently and through unpatched systems rather than being delivered by spearphishing.\u00a0 Second, the malware struck organizations with legacy networks, many of which had backups that could recover lost data.<\/p>\n<p style=\"font-weight: 400\">The Maui ransomware appears to be an upgrade from this previous attempt.\u00a0 North Korea likely has been observing how ransomware gangs operate and learning from their activities.\u00a0 It is notable that North Korea decided to target primarily healthcare organizations with Maui.\u00a0 Ransomware first garnered global attention in 2016 by going after healthcare entities, many of which paid the ransoms due to the need to get access to critical patient information. And while the top industries targeted by ransomware depends on what organization is reporting, according to a recent <a target=\"_blank\" href=\"http:\/\/www.helpnetsecurity.com\/2022\/06\/09\/ransomware-attacks-healthcare-sector\/#:~:text=Sophos%20has%20published%20a%20sectoral,were%20hit%20the%20previous%20year\" rel=\"noopener\">survey<\/a>, healthcare is the one that has been identified as being the most likely to pay the ransom.\u00a0 Therefore, it comes as little surprise that North Korea chose to focus on this one with Maui, at least initially.<\/p>\n<p style=\"font-weight: 400\">North Korea has been on the forefront of a government committing hostile cyber activities more akin to cyber criminals than nation states.\u00a0 In 2021, the Department of Justice expanded its <a target=\"_blank\" href=\"https:\/\/www.justice.gov\/opa\/pr\/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and\" rel=\"noopener\">indictment<\/a> of three North Korean military personnel for cyber crimes ranging from cyber-enabled bank heists; ATM cash-out thefts; the aforementioned WannaCry campaign; cryptocurrency theft; and marine chain token and initial coin offering.\u00a0 Pyongyang views these activities as important revenue sources that undermine and ease the pain of stringent economic <a target=\"_blank\" href=\"https:\/\/www.heritage.org\/cybersecurity\/commentary\/north-korea-cybercrimes-undermine-sanctions-and-threaten-america\" rel=\"noopener\">sanctions<\/a>, as well as to fund key national security priorities like its <a target=\"_blank\" href=\"https:\/\/www.bbc.com\/news\/world-asia-60281129\" rel=\"noopener\">missile program<\/a>.\u00a0 North Korea has been very successful in these efforts. According to a 2019 United Nations report, North Korea netted and estimated <a target=\"_blank\" href=\"https:\/\/www.bbc.com\/news\/world-asia-60281129\" rel=\"noopener\">USD 2 billion<\/a> for its weapons of mass destruction programs via cybercrime.\u00a0 In 2021, a cybersecurity vendor\u2019s report revealed that North Korea stole as much as <a target=\"_blank\" href=\"https:\/\/www.bbc.com\/news\/business-59990477\" rel=\"noopener\">USD 400 million<\/a> worth of digital assets from at least seven attacks on cryptocurrency platforms. While many other governments focus on the digital domain as an asymmetric weapon, North Korea sees its untapped potential to supplement its financial needs.<\/p>\n<p style=\"font-weight: 400\">However, it appears that North Korea\u2019s ransomware operations are still a work in progress.\u00a0 The boon tied to ransomware operations has been so lucrative, failing to capitalize on them must be frustrating for a state so adept at stealing money in the digital domain. While it appears to have been making ransom off of its recent Maui campaign, the FBI threw an unexpected wrench in its plans, the result of alleged quick reporting from a U.S.-based victim to the nation\u2019s premiere law enforcement agency. \u00a0The FBI was able to promptly trace payment and cryptocurrency activity, an important lesson gleaned for future consideration.\u00a0 This was an obvious unexpected turn of events, and how North Korea adjusts to this quick response will be telling.\u00a0 It is not known why they focused on U.S. healthcare targets though the attackers likely believed that they would be able to command a good price point for what is almost standard operating procedures \u2013 an organization gets exploited by ransomware, it pays the ransom.\u00a0 Now, with a chunk of the profits made from Maui seized, it will be noteworthy to see how they change their targeting strategies, perhaps taking a note from Conti and seek targets in lesser developed countries with notoriously weak cybersecurity practices.<\/p>\n<p style=\"font-weight: 400\">It also remains to be seen if North Korea will try to exploit ransomware\u2019s diverse functionality or still try to perfect its financial benefit.\u00a0 As a state, North Korea has engaged in disruptive and destructive operations in response to periods of geopolitical tension or perceived transgressions against the Hermit Kingdom. These attacks have ranged from conducting distributed denial-of-service (<a target=\"_blank\" href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/TA17-164A\" rel=\"noopener\">DDoS<\/a>) attacks to the deployment of <a target=\"_blank\" href=\"https:\/\/threatpost.com\/dhs-fbi-warn-of-north-korea-hidden-cobra-strikes-against-us-assets\/126263\/\" rel=\"noopener\">wiper<\/a> malware to destroy data on targeted systems.\u00a0 Use of ransomware for similar purposes seems a logical extension with the added benefit of potentially getting ransom payments from desperate victims. Additionally, there is the data exfiltration element tied to ransomware as well. Although North Korea is most known for its use of the cyber domain for criminal and disruptive activities, ransomware as a means of data theft is a possibility and one that can bolster North Korea\u2019s cyber espionage program, a capability it possesses but does not appear to extensively rely on as other states.<\/p>\n<p style=\"font-weight: 400\">Pyongyang has been steadily developing its offensive cyber capabilities for several years and has been tied to some of the more noteworthy incidents that have garnered global attention and forced discussions about how states use cyber attacks.\u00a0 It has benefited tremendously from a combination of academic exchanges and partnerships, indigenous technological developments, as well as foreign assistance, and poses perhaps the most significant state threat to the global financial sector.\u00a0 A robust ransomware capability would be a formidable arrow in its cybercrime quiver that could provide other benefits depending how Pyongyang wants to use it.\u00a0 Though it appears to still be finding its way with respect to unleashing ransomware\u2019s full capacity, any potential future gains outweigh current setbacks.\u00a0 Therefore, it can be expected that North Korea will continue to refine its ransomware operations because if done correctly, they will help Pyongyang sustain its regime and its sovereignty.<\/p>\n<\/div>\n<p>!function(f,b,e,v,n,t,s)<br \/>\n  {if(f.fbq)return;n=f.fbq=function(){n.callMethod?<br \/>\n  n.callMethod.apply(n,arguments):n.queue.push(arguments)};<br \/>\n  if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=&#8217;2.0&#8242;;<br \/>\n  n.queue=[];t=b.createElement(e);t.async=!0;<br \/>\n  t.src=v;s=b.getElementsByTagName(e)[0];<br \/>\n  s.parentNode.insertBefore(t,s)}(window, document,&#8217;script&#8217;,<br \/>\n  &#8216;https:\/\/connect.facebook.net\/en_US\/fbevents.js&#8217;);<br \/>\n  fbq(&#8216;init&#8217;, &#8216;176729983203833&#8217;);<br \/>\n  fbq(&#8216;track&#8217;, &#8216;PageView&#8217;);<br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/www.oodaloop.com\/archive\/2022\/08\/08\/north-korea-tries-ransomware-again\/\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Department of Homeland Security recently published a joint advisory along with the Federal Bureau of Investigation (FBI) and the Department of Treasury on suspected North Korean state-sponsored ransomware campaign implementing the Maui malware. The campaign has been targeting healthcare-related organizations for the purposes of coercing compromised victims into paying ransoms.\u00a0 These operations have successfully [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":25376,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[39],"tags":[1009,10242,1008,10241,9636],"class_list":["post-25375","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ico","tag-korea","tag-loop","tag-north","tag-ooda","tag-ransomware"],"jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"http:\/\/egrowonline.com\/wp-content\/uploads\/2022\/08\/North-Korea-Threat.jpg","_links":{"self":[{"href":"http:\/\/egrowonline.com\/index.php?rest_route=\/wp\/v2\/posts\/25375","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/egrowonline.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/egrowonline.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/egrowonline.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/egrowonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=25375"}],"version-history":[{"count":1,"href":"http:\/\/egrowonline.com\/index.php?rest_route=\/wp\/v2\/posts\/25375\/revisions"}],"predecessor-version":[{"id":25377,"href":"http:\/\/egrowonline.com\/index.php?rest_route=\/wp\/v2\/posts\/25375\/revisions\/25377"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/egrowonline.com\/index.php?rest_route=\/wp\/v2\/media\/25376"}],"wp:attachment":[{"href":"http:\/\/egrowonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=25375"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/egrowonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=25375"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/egrowonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=25375"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}