Uncle Sam Traces Ransomware Attacks on Hospitals to North Korea
And Creates a Very Good Website on the Topic
On February 9, 2023, several different law enforcement and security agencies from Uncle Sam, and the government of South Korea, released a joint press statement that outlined the many ways the Democratic Peoples Republic of Korea (DPRK) — that Hermit Kingdom we call North Korea — has leveraged well known computer vulnerabilities to deploy ransomware attacks. The gist of the Press Release is well summarized in one paragraph.
DPRK cyber actors have been using cryptocurrency generated through illicit cybercrime activities to procure infrastructure such as IP addresses and domains. The actors intend to conceal their affiliation and then exploit common vulnerabilities and exposures (CVE) in order to gain access and escalate privileges on targeted networks to perform ransomware activities.
The Announcement and the Press Release are both parts of a larger initiative by the Feds to increase awareness of ransomware and how computer users, both businesses large and small, as well as individual users, can best protect themselves from ransomware attacks; and also offers mitigations and useful suggestions in the event of an attack. To this end, Uncle Sam has setup a website devoted to this Pirate Scourge of the 21st century with a clear direct title: STOPRANSOMWARE. URL: https://www.cisa.gov/stopransomware
Each box you see is a link to another web publication by the Feds. The
first box brings up
Alert (AA23-040A), "#StopRansomware: Ransomware Attacks on
Critical Infrastructure Fund DPRK Malicious Cyber Activities,
published by the Cybersecurity and Infrastructure Security
Agency (CISA). CISA has been referenced many times in The
Dispatches From the Front. This document is the US government's
official version of the joint release between the governments of the US and South Korea.
This document also links to the specifics of how North Korea has
exploited known computer vulnerabilities to launch ransomware attacks.
The document,
Alert (AA22-187A) North Korean State-Sponsored Cyber Actors Use
Maui Ransomware to Target the Healthcare and Public Health Sector,
is the framework around which Uncle Sam has developed the strategies it
is promoting to combat ransomware.
Alert (AA23-040A) also links
to a 19 page in-depth report and analysis of all the various ways North
Korea has deployed ransomware to fund all its various illegal
activities, at least illegal according to accepted standards of
international law and norms. Titled,
#StopRansomware: Ransomware Attacks on Critical Infrastructure
Fund DPRK Malicious Cyber Activities, the mission of this
effort by the Feds is clearly stated in the summary that begins the
document.
This Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and various ransomware threat actors. These #StopRansomware advisories detail historically and recently observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn about other ransomware threats and no-cost resources.
A simple graphic from the NSA Twitter feed shows the steps North Korean actors use to launch ransomware attacks.
source:
https://twitter.com/NSACyber/status/1623744973827985408/photo/1
A great deal of the 19 page document is highly technical and most relevant to networked systems and their administrators, and therefore not within the scope of The Dispatches. This blog is written more from the ground level. Nonetheless, much of the PDF document will sound familiar to those who regularly read this blog — especially certain entries in the Mitigations section. A few of The Greatest Hits are worth mentioning. In the original PDF document some of the quotes below have links to other technical documents relevant to that specific subject.
✓ Maintain
isolated backups of data, and regularly test backup and restoration.
✓ Install updates for operating
systems, software, and firmware as soon as they are released.
✓ If you use Remote Desktop Protocol
(RDP), or other potentially risky services, secure and monitor them
closely.
✓ Use strong passwords
and avoid reusing passwords for multiple accounts.
And...
If a ransomware incident occurs at your organization:
✓ Scan backups. If possible, scan
backup data with an antivirus program to check that it is free of
malware. This should be performed using an isolated, trusted system to
avoid exposing backups to potential compromise. .
Door Number 2 of STOPRANSOMWARE opens to a separate and quite useful website maintained by our Dear Uncle Sam. This website has A Great Caesar's Ghost! type of title: I'VE BEEN HIT BY RANSOMWARE!
One useful feature of the website is the search engine that allows a visitor to search Fed websites for information concerning computer security in general, and malware attacks specifically. The websites maintained by the various US government agencies are among the most authoritative there are, and also are considered as safe as any websites can be. Unless you commit a crime, Uncle Sam only wants your money one day a year; and does not try to hide that fact. A search on Man In the Middle brought the following links, with each link referencing a government website:
The FAQS section is another useful place to visit. Essentially whatever you need to know about ransomware is available in one well organized space.
Our third box links to the Catalog of Common Vulnerabilities and Exposures (CVE) maintained by CISA. Regular readers will remember that CVEs are how security professionals label and track what is broken and must be fixed in both hardware and software. CVEs are often referenced in The Dispatches when referring to a specific vulnerability.
It is especially gratifying for me to see Uncle Sam engaging in the cyberwar at all levels. Ransomware is where the cyberwar has the greatest threat of harming anyone of us. When just another yahoo like me is swearing at no one and everyone that this hydra headed monster is a real and present threat to Western Civilization itself, well that can, at best, be so much hyperbole; and, at worse, be evidence of some form of mental illness. But whenever Uncle Sam steps in to something everything around that something get real real — real fast.
On January 20, 2023, I had posted about how the New York State Legislature was considering holding hearings to get to the bottom of who is behind the ransomware attacks that were crippling NY hospitals and schools. My somewhat snarky, but otherwise honest, response to that news, was why not save NY taxpayers a bunch of money, and just read what the Feds put out on the subject? Well, how about you start here, Governor Hochul?
source:
https://www.top10films.co.uk/39366-network-still-mad-hell/