North Korean-Sponsored Attack: Ransom Paid By Providers Returned

July 20, 2022
The Justice Department announced that in May, the FBI seized the contents of two cryptocurrency accounts that had received funds from two healthcare providers—proceedings then began to forfeit the hackers’ funds and return the stolen money to the victims

According to a July 19 statement from the Justice Department announced that it seized and forfeited roughly $500,000 from North Korean ransomware actors and their conspirators. In May 2022, the FBI filed a sealed seizure warrant for the funds—the seized funds include ransoms paid by healthcare providers in Kansas and Colorado.

The statement says that “According to court documents, in May 2021, North Korean hackers used a ransomware strain called Maui to encrypt the files and servers of a medical center in the District of Kansas. After more than a week of being unable to access encrypted servers, the Kansas hospital paid approximately $100,000 in Bitcoin to regain the use of their computers and equipment. Because the Kansas medical center notified the FBI and cooperated with law enforcement, the FBI was able to identify the never-before-seen North Korean ransomware and trace the cryptocurrency to China-based money launderers.”

That said, “Then, as a result, in April 2022, the FBI observed an approximately $120,000 Bitcoin payment into one of the seized cryptocurrency accounts identified thanks to the cooperation of the Kansas hospital. The FBI’s investigation confirmed that a medical provider in Colorado had just paid a ransom after being hacked by actors using the same Maui ransomware strain. In May 2022, the FBI seized the contents of two cryptocurrency accounts that had received funds from the Kansas and Colorado healthcare providers. The District of Kansas then began proceedings to forfeit the hackers’ funds and return the stolen money to the victims.”

Special Agent in Charge, Charles Dayoub, FBI Kansas City Field Division was quoted in the statement saying that “Today’s announcement reiterates the FBI and Justice department’s continued commitment to working with our critical infrastructure and private sector partners to identify and dismantle cyber threats, including new and emerging ransomware variants. Because of swift reporting by the victim medical center, action was taken to lessen the loss to the victim company, as well as identify the malware deployed, preventing additional cyber-attacks. The relationship between the FBI and our private sector partners are critical to discover, disrupt and dismantle cyber threats to our nation’s infrastructure.”

We recently reported that on July 6, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) issued a joint cybersecurity advisory providing information on Maui ransomware. Maui ransomware has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.

“The advisory explains that the FBI has observed and responded to various Maui ransomware incidents at HPH Sector organizations and that North Korean state-sponsored cyber actors used this ransomware in these incidents to encrypt services that are responsible for healthcare services, including electronic health records, diagnostic services, imaging services, and intranet services,” we reported. “The advisory adds that in some cases the incidents disrupted services provided by the HPH Sector organizations for extended periods and the initial access vector(s) for these incidents is not known at this time.”