The US Justice Department announced on 19 July 2022 through a complaint filed in the US District of Kansas to forfeit cryptocurrency paid as ransom to North Korean hackers or otherwise used to launder such ransom payments. In May 2022, the Federal Bureau of Investigation (FBI) filed a sealed seizure warrant for the funds worth approximately half a million dollars. The seized funds include ransoms paid by health care providers in Kansas and Colorado. “Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui,’” said a Deputy Attorney General at the International Conference on Cyber Security. “Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain. The approach used in this case exemplifies how the Department of Justice is attacking malicious cyber activity from all angles to disrupt bad actors and prevent the next victim.”[1]
According to court documents, in May 2021, North Korean hackers used a ransomware strain called Maui to encrypt the files and servers of a medical center in the District of Kansas. After more than a week of being unable to access encrypted servers, the Kansas hospital paid approximately $100,000 in Bitcoin to regain the use of their computers and equipment. Because the Kansas medical center notified the FBI and cooperated with law enforcement, the FBI was able to identify the never-before-seen North Korean ransomware and trace the cryptocurrency to China-based money launderers.
Then, as a result, in April 2022, the FBI observed an approximately $120,000 Bitcoin payment into one of the seized cryptocurrency accounts identified thanks to the cooperation of the Kansas hospital. The FBI’s investigation confirmed that a medical provider in Colorado had just paid a ransom after being hacked by actors using the same Maui ransomware strain. In May 2022, the FBI seized the contents of two cryptocurrency accounts that had received funds from the Kansas and Colorado health care providers. The District of Kansas then began proceedings to forfeit the hackers’ funds and return the stolen money to the victims. “Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business,” said an Assistant Attorney General of the Justice Department’s National Security Division. “The reimbursement to these victims of the ransom shows why it pays to work with law enforcement.”
“These sophisticated criminals are constantly pushing boundaries to search for ways to extort money from victims by forcing them to pay ramsons in order to regain control of their computer and record systems,” said the US Attorney for the District of Kansas. “What these hackers don’t count on is the tenacity of the U.S. Justice Department in recovering and returning these funds to the rightful owners.”
“The FBI is dedicated to working with our federal and private sector partners to disrupt nation state actors who pose a critical cyber threat to the American people,” said the FBI Cyber Division Assistant Director. “Today’s success demonstrates the result of reporting to the FBI and our partners as early as possible when you are a victim of a cyber-attack; this provides law enforcement with the ability to best assist the victim. The US government will continue to pursue these malicious cyber actors, such as these North Korean hackers, who threaten the American public regardless of where they may be and work to successfully retrieve ransom payments where possible.”
“Today’s (19 July) announcement reiterates the FBI and Justice Department’s continued commitment to working with our critical infrastructure and private sector partners to identify and dismantle cyber threats, including new and emerging ransomware variants,” said the Special Agent in Charge of the FBI Kansas City Field Division. “Because of swift reporting by the victim medical center, action was taken to lessen the loss to the victim company, as well as identify the malware deployed, preventing additional cyber-attacks. The relationship between the FBI and our private sector partners are critical to discover, disrupt and dismantle cyber threats to our nation’s infrastructure.”
On 6 July 2022, based on information obtained during the Department’s investigation, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury issued a joint cybersecurity advisory regarding the North Korean threat to US health care and public health sector organizations, which included indicators of compromise and mitigation advice. The FBI is the lead agency investigating this case.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and offer technical reports like this from pour friends at Microsoft. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.justice.gov/opa/pr/justice-department-seizes-and-forfeits-approximately-500000-north-korean-ransomware-actors
Comments