The Department of Homeland Security recently published a joint advisory along with the Federal Bureau of Investigation (FBI) and the Department of Treasury on suspected North Korean state-sponsored ransomware campaign implementing the Maui malware. The campaign has been targeting healthcare-related organizations for the purposes of coercing compromised victims into paying ransoms.  These operations have successfully disrupted some important healthcare functionality such as access to health records and imagining services. Though the advisory did not relate if and how many victims paid the requested ransoms, recent FBI operations recovered approximately USD 500,000 in Bitcoin that the extortionists had received.  While these actions have proven successful, it does not appear to have thwarted North Korean efforts in this capacity, who may turn to other global healthcare targets in an effort to circumvent such robust law enforcement responses.

This is not the first time North Korea has engaged in ransomware activities.  In 2017, North Korea actors executed the WannaCry ransomware, a global campaign that proliferated to 150 countries, and inflicting damages as high as USD 4 billion.  However, despite the magnitude of the infections, the North Korea actors did not garner a significant amount in ransom payments, especially by the standards set by groups like LockBit and Conti.  Two reasons have been cited for why despite the wide propagation of the malware, it did not yield the results one might have thought. First, WannaCry spread like a worm, independently and through unpatched systems rather than being delivered by spearphishing.  Second, the malware struck organizations with legacy networks, many of which had backups that could recover lost data.

The Maui ransomware appears to be an upgrade from this previous attempt.  North Korea likely has been observing how ransomware gangs operate and learning from their activities.  It is notable that North Korea decided to target primarily healthcare organizations with Maui.  Ransomware first garnered global attention in 2016 by going after healthcare entities, many of which paid the ransoms due to the need to get access to critical patient information. And while the top industries targeted by ransomware depends on what organization is reporting, according to a recent survey, healthcare is the one that has been identified as being the most likely to pay the ransom.  Therefore, it comes as little surprise that North Korea chose to focus on this one with Maui, at least initially.

North Korea has been on the forefront of a government committing hostile cyber activities more akin to cyber criminals than nation states.  In 2021, the Department of Justice expanded its indictment of three North Korean military personnel for cyber crimes ranging from cyber-enabled bank heists; ATM cash-out thefts; the aforementioned WannaCry campaign; cryptocurrency theft; and marine chain token and initial coin offering.  Pyongyang views these activities as important revenue sources that undermine and ease the pain of stringent economic sanctions, as well as to fund key national security priorities like its missile program.  North Korea has been very successful in these efforts. According to a 2019 United Nations report, North Korea netted and estimated USD 2 billion for its weapons of mass destruction programs via cybercrime.  In 2021, a cybersecurity vendor’s report revealed that North Korea stole as much as USD 400 million worth of digital assets from at least seven attacks on cryptocurrency platforms. While many other governments focus on the digital domain as an asymmetric weapon, North Korea sees its untapped potential to supplement its financial needs.

However, it appears that North Korea’s ransomware operations are still a work in progress.  The boon tied to ransomware operations has been so lucrative, failing to capitalize on them must be frustrating for a state so adept at stealing money in the digital domain. While it appears to have been making ransom off of its recent Maui campaign, the FBI threw an unexpected wrench in its plans, the result of alleged quick reporting from a U.S.-based victim to the nation’s premiere law enforcement agency.  The FBI was able to promptly trace payment and cryptocurrency activity, an important lesson gleaned for future consideration.  This was an obvious unexpected turn of events, and how North Korea adjusts to this quick response will be telling.  It is not known why they focused on U.S. healthcare targets though the attackers likely believed that they would be able to command a good price point for what is almost standard operating procedures – an organization gets exploited by ransomware, it pays the ransom.  Now, with a chunk of the profits made from Maui seized, it will be noteworthy to see how they change their targeting strategies, perhaps taking a note from Conti and seek targets in lesser developed countries with notoriously weak cybersecurity practices.

It also remains to be seen if North Korea will try to exploit ransomware’s diverse functionality or still try to perfect its financial benefit.  As a state, North Korea has engaged in disruptive and destructive operations in response to periods of geopolitical tension or perceived transgressions against the Hermit Kingdom. These attacks have ranged from conducting distributed denial-of-service (DDoS) attacks to the deployment of wiper malware to destroy data on targeted systems.  Use of ransomware for similar purposes seems a logical extension with the added benefit of potentially getting ransom payments from desperate victims. Additionally, there is the data exfiltration element tied to ransomware as well. Although North Korea is most known for its use of the cyber domain for criminal and disruptive activities, ransomware as a means of data theft is a possibility and one that can bolster North Korea’s cyber espionage program, a capability it possesses but does not appear to extensively rely on as other states.

Pyongyang has been steadily developing its offensive cyber capabilities for several years and has been tied to some of the more noteworthy incidents that have garnered global attention and forced discussions about how states use cyber attacks.  It has benefited tremendously from a combination of academic exchanges and partnerships, indigenous technological developments, as well as foreign assistance, and poses perhaps the most significant state threat to the global financial sector.  A robust ransomware capability would be a formidable arrow in its cybercrime quiver that could provide other benefits depending how Pyongyang wants to use it.  Though it appears to still be finding its way with respect to unleashing ransomware’s full capacity, any potential future gains outweigh current setbacks.  Therefore, it can be expected that North Korea will continue to refine its ransomware operations because if done correctly, they will help Pyongyang sustain its regime and its sovereignty.

About the Author

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.