North Korea makes money by extorting money from hospitals around the world.
North Korean government hackers are attacking healthcare organizations and various companies around the world in order to obtain money to fund their other operations. This was announced on February 9 by the United States and South Korea.
According to allies, “an unspecified amount of cryptocurrency revenue is being used by North Korea to fund its national goals, including cyber operations against the US and South Korean governments.”
According to a joint report by CISA, the FBI, the NSA, and several South Korean defense and intelligence agencies, North Korea's campaigns target US defense IT systems and military contractors.
North Korean hackers used both proprietary ransomware such as Maui and H0lyGh0st and third-party ransomware such as Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit, My Little Ransomware, NxRansomware, Ryuk, YourRansom.
This is the first time agencies have linked a specific subject to using Deadbolt and ech0raix, these strains of ransomware used to attack customers of network equipment vendor QNAP.
The North Korean hackers also tried to pose as members of other ransomware groups such as REvil, the agencies said. Experts say that cybercriminals create multiple domains and accounts to hide their activities. They are also “buying infrastructure, IP addresses and domains with cryptocurrencies stolen from campaigns.” In addition, attackers also use VPNs to make it look like the attacks are coming from other places outside of North Korea.
The experts noted that in their attacks, hackers usually use specific vulnerabilities - Log4Shell (CVE-2021-44228), CVE-2021-20038 and CVE-2022-24990. In addition to ransomware, hackers use other specialized malware to exfiltrate data, conduct intelligence operations, and steal files.
North Korean hackers set a ransom in bitcoin and communicate with victims via Proton Mail email. For private companies in the healthcare sector, extortionists can threaten to reveal confidential company data to competitors if a ransom is not paid.
Allan Liska, a ransomware expert at security firm Recorded Future, added that North Korea has always used ransomware since 2017, but this year it has ramped up its attacks, making government hackers an even more dangerous adversary.