Federal Agencies Warn of North Korean ‘Maui’ Ransomware Threat

Cybersecurity Advisory
July 6, 2022

Health care, public health sector among known targets of aggressive, state-sponsored cyber actors; immediate action urged of hospitals and health systems

The FBI, jointly with the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury, today issued a public cybersecurity advisory warning of the North Korean government’s current use of the “Maui” ransomware platform to conduct disruptive ransomware attacks against the U.S. health care and public health sectors.

Hospitals and health system are urged to review this advisory and its linked resources, and take immediate steps to harden their networks’ cyber defenses.


North Korean cyber threats against U.S. health care are well-documented. The U.S. government in 2017 officially attributed to the North Korean government the global “WannaCry” ransomware attack, which hit multiple hospitals in the U.S., as well as the U.K’s National Health System.

More recently, since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at heath care and public health sector organizations. According to federal agencies, North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers used for health care services, including electronic health records services, diagnostics services, imaging services and intranet services. In some cases, these incidents resulted in prolonged periods of disrupted services provided by the targeted heath care and public health sector organizations.

The initial access vectors for these incidents are currently unknown. North Korean state-sponsored cyber actors likely work under the belief that health care organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health. Because of this assumption, the FBI, CISA and Treasury Department assess North Korean state-sponsored actors are likely to continue targeting heath care and public health sector organizations.

Ransomware attacks disrupt and delay health care delivery, including treatment provided during emergency situations; based on this, the AHA and the FBI view such attacks as immediate threat-to-life crimes. The FBI has assured the AHA that they recognize the public health and safety aspect of ransomware attacks against hospitals and health systems and will respond accordingly upon notification. Victims of such attacks are thus urged to provide immediate notification to their local FBI field office.

The Maui ransomware associated with the North Korean government represents not only a criminal threat to public health and safety, but also a national security threat to the U.S. Proceeds generated from Maui ransomware attacks may be used to fund the North Korean government’s illegal activities, enabling its state-sponsored terrorism, for which it is under multiple sanctions (including for its nuclear weapons program).

As in all cases, the FBI, CISA, Treasury Department and the AHA highly discourage paying ransoms as doing so does not guarantee data will be recovered and, in this instance, may pose a sanctions risk.


The Treasury Department in September 2021 issued an updated advisory highlighting the sanctions risk associated with ransomware payments, along with proactive steps companies can take to mitigate such risks. The updated advisory encourages timely notification and full cooperation with law enforcement to mitigate any potential sanctions risk.

To help mitigate the risk of the North Korean Maui ransomware threat, the advisory recommends a number of technical and non-technical measures described further in the bulletin.


  • Share this AHA Cybersecurity Advisory with your organization’s IT and cyber infrastructure teams.
  • Hospitals and health systems should review the above-identified alerts and bulletins for guidance on risk mitigation procedures, including increased network monitoring for unusual network traffic or activity, especially around active directories.
  • Install updates for operating systems, software and firmware as soon as they are released.
  • Secure remote access, vendor network access and servers.
    • If you use Remote Desktop Protocol (RDP), or other potentially risky services, secure and monitor them closely. Ensure devices are properly configured and that security features are enabled.
    • Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389).
    • Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB.
    • Review the security posture of third-party vendors and those interconnected with your organization.
    • Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
    • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established protocol.
    • Open document readers in protected viewing modes to help prevent active content from running.
  • Implement user training programs and phishing awareness exercises that increase users’ understanding about the risks of visiting suspicious websites, clicking on suspicious links and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
  • Require MFA for as many services as possible, particularly for webmail, VPNs, accounts that access critical systems and privileged accounts that manage backups.

Use strong passwords and avoid reusing passwords for multiple accounts. See CISA Tip Choosing and Protecting Passwords and National Institute of Standards and Technology (NIST) Special Publication 800-63B: Digital Identity Guidelines for more information.

  • Require administrator credentials to install software.
  • Audit user accounts with administrative or elevated privileges and configure access controls with least privilege in mind.
  • Install and regularly update antivirus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.


If you have further questions, please contact John Riggi, AHA’s national advisor for cybersecurity and risk, at jriggi@aha.org.

Member Advisory: Federal Agencies Warn of North Korean ‘Maui’ Ransomware Threat PDF