This CSA provides an overview of Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware and updates the July 6, 2022, joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector. This advisory highlights TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.

DPRK cyber actors are involved in the distribution of the TROJAN RAA Ransomware (Trojan-Ransom.Win32.Raa) and have been observed using BitCoin wallets to receive ransom payments. To date, the majority of HPH sector intrusions are limited to ransomware attacks and use of remote access tools (RATs). The DPRK’s increasing reliance on cyber operations as a tool to generate revenue is highly concerning, especially as these attacks may be leveraged to target critical infrastructure within the United States and globally. This pattern of activity shows a significant shift in tactics and represents the continued expansion of DPRK cyber operations.

The key takeaways from this CSA are:

DPRK cyber actors have used Bitcoin wallets to extort ransoms from the HPH sector. In some cases, DPRK actors have demanded payments with more than one cryptocurrency. The use of multiple cryptocurrencies is an indicator that the attackers are likely dealing in BTC, but also that they may not have access to merchants’ banking details and payment systems infrastructure at the time of extortion. This introduces new risks and makes it difficult to track whether this payment was made in full or includes a percentage fee for the service provider (exchange rates vary).

‍

Source: #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities - AlienVault - Open Threat Exchange