The US Cybersecurity and Infrastructure Security Agency (CISA) released an advisory where they detailed the recently observed tactics, techniques, and procedures (TTPs) observed from North Korean ransomware operations that were used to fund their government’s priorities and objectives. The attacks primarily targeted South Korean and United States healthcare systems, but other critical industries were also targeted. CISA says that the attackers used privately developed lockers as well as a dozen other strains of file-encrypting malware.
The ransomware operators acquired the infrastructure needed for their attack through fake personas/accounts and illegally obtained cryptocurrency, using foreign intermediaries to obscure the money trail. The operators concealed their IPs by using VPNs and VPSs. They used numerous vulnerabilities in their operations:
- Log4Shell (CVE-2021-44228)
- SonicWall Appliances RCE (CVE-2021-20038)
- TerraMaster NAS products admin disclosure (CVE-2022-24990)
Initial access in this operation is believed to have been established through trojanized files for “X-Popup”, an open-source messenger commonly used in hospitals. Following initial access, the North Korean hackers performed network reconnaissance and lateral movement by executing shell commands and deploying additional payloads that to aid in gathering information. While the ransomware operators have been linked to the Maui and HolyGh0st ransomware strains, they also leveraged several publicly available tools in their attacks:
- BitLocker (abused of a legitimate tool)
- Hidden Tear
- LockBit 2.0
- My Little Ransomware
The ultimate goal of this campaign was to demand a Bitcoin ransom, which they did through Proton Mail accounts rather than a TOR site.