Ransomware, Incident Response, Threat Management, Malware

Feds disrupt North Korean ransomware operations, return $500K to healthcare victims

The seal of the FBI hangs at the bureau’s headquarters March 9, 2007, in Washington. (Photo by Chip Somodevilla/Getty Images)
The Department of Justice announced it disrupted North Korean ransomware operations and returned about $500,000 paid by healthcare providers. (Photo by Chip Somodevilla/Getty Images)

The Department of Justice reportedly seized about $500,000 from state-sponsored North Korean hackers who use Maui ransomware in their attacks. The seized cryptocurrency was returned to two healthcare providers who paid ransom demands to the group after falling victim to earlier cyberattacks.

According to DoJ Deputy Attorney General Lisa O. Monaco, DoJ and the FBI were also able to disrupt the activities of the state-sponsored group as a direct result of the “rapid reporting and cooperation” of the victims.

Earlier this month, a joint federal alert warned state-sponsored nation-state actors were using the Maui variant to target the U.S. health sector and successfully exploited multiple healthcare entities since May 2021. The attacks resulted in encrypted servers, including electronic health records, diagnostics, imaging services, and intranet.

Two of those impacted entities, one from Kansas and the other from Colorado, have received the ransom payments back due to federal efforts.

In May 2022, the FBI filed a sealed seizure warrant for the funds paid by the two healthcare victims. The release does not disclose the names of the entities, nor shed light on the incident that struck the Colorado entity.

But the court documents show that the actors launched a Maui ransomware attack against a Kansas medical center in May 2021, which encrypted the files and servers. After more than a week without access to the encrypted servers, the provider paid a $100,000 demand in bitcoin to regain use of the impacted equipment.

Cooperation with law enforcement cited in ransom recovery, identification of new ransomware

DoJ and FBI leaders attribute the identification and funds' seizure to the providers’ cooperation with law enforcement, which enabled the investigators to trace the cryptocurrency back to money launderers based in China.

Not only did the swift movement and coordination lead to the recovered ransom payment and a “ransom paid by previously unknown victims,” the effort also allowed the federal agents to identify a previously unidentified ransomware strain. DoJ stressed that reporting cyber incidents to law enforcement and cooperating with investigations protects entities and is “good business."

“The approach used in this case exemplifies how the DoJ is attacking malicious cyber activity from all angles to disrupt bad actors and prevent the next victim,” Monaco said in a statement.

The medical center’s expeditious actions lessened their losses, identified the malware, and prevented further cyberattacks, according to Special Agent in Charge Charles Dayoub of the FBI Kansas City Field Division.

FBI Cyber Division Assistant Director Bryan Vorndran reiterated the FBI’s commitment to working with federal and private sector entities, a crucial step to disrupting nation state actors. By working with federal law enforcement, attack victims are better able to receive the support needed to recover.

The takedown of the notorious Z-loader botnet by the Health-ISAC, Microsoft, and others in April is another prime example of the importance of threat sharing and working with other sector leaders to bolster defenses and obtain much needed support and insights.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.