DOJ seizes $500K from North Korean hackers who targeted healthcare
Photo: Joe Raedle/Getty Images
The Justice Department announced a bit of a win this week in the ongoing battle against state-sponsored ransomware campaigns – clawing back about half a million dollars in cryptocurrency that had been paid as ransom to North Korean hackers.
WHY IT MATTERS
According to the DOJ report, the FBI filed a sealed seizure warrant for the half-million or so, including ransom payments from healthcare providers in Kansas and Colorado, this past May.
"Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as Maui," said Deputy Attorney General Lisa O. Monaco, in a statement. "Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain."
In the spring of 2021, North Korean-affiliated hackers used the Maui ransomware strain to encrypt the files and servers of an unnamed Kansas-based medical center, according to court documents.
Unable to access its encrypted servers for more than a week, the hospital decided to pay about $100,000 in Bitcoin to regain the use of its data. DOJ officials say its notification and cooperation with the FBI was key to the money's return, as agents were able to "identify the never-before-seen North Korean ransomware and trace the cryptocurrency to China-based money launderers."
Then, this past April, FBI officials observed a $120,000 Bitcoin payment into one of the seized cryptocurrency accounts that had been identified after the Kansas hospital case, according to the DOJ.
The FBI was able to confirm that a provider based in Colorado had just paid a ransom after being targeted with the Maui strain of malware.
In May, agents of the bureau seized the contents of two cryptocurrency accounts that had received funds from the Kansas and Colorado health systems began proceedings to confiscate those funds and return the money.
THE LARGER TREND
Earlier this month the FBI, Homeland Security's Cybersecurity and Infrastructure Security Agency and the Department of the Treasury put out notice that North Korea-sponsored groups were targeting U.S. healthcare providers with ransomware campaigns.
In particular, the alert specified mitigation steps for the newly-discovered Maui ransomware strain, which engineers said appeared to be designed for manual execution by a remote bad actor.
In their notice, the federal agencies made a point of saying that North Korea and other state-sponsored attackers "likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health."
But as been widely noted, the FBI and others "strongly discourage paying ransoms," since there is no guarantee files and records will be recovered, and such payments "may pose sanctions risks," they said.
Nation-states have been busy targeting U.S. healthcare organizations with ransomware. This past November, CISA issued an alert for an Iran-sponsored hacker group targeting healthcare. In June, FBI Director Christopher Wray said the bureau's cyber squad was able to thwart an Iran-sponsored attempt to attack the IT network of Boston Children's Hospital.
FBI officials said this recovery case highlights the importance of working with the agency when ransomware strikes.
"Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business," said Assistant Attorney General Matthew G. Olsen of the Justice Department's National Security Division. "The reimbursement to these victims of the ransom shows why it pays to work with law enforcement."
This past March, I spoke with FBI Special Agents Andrew Sekela and Harry Walker, who offered some useful advice for when and how to engage with the agency.
ON THE RECORD
"Because of swift reporting by the victim medical center, action was taken to lessen the loss to the victim company, as well as identify the malware deployed, preventing additional cyber-attacks," added Special Agent in Charge Charles Dayoub of the FBI Kansas City Field Division. "The relationship between the FBI and our private sector partners are critical to discover, disrupt and dismantle cyber threats to our nation's infrastructure."
"These sophisticated criminals are constantly pushing boundaries to search for ways to extort money from victims by forcing them to pay ramsons in order to regain control of their computer and record systems," said U.S. Attorney Duston J. Slinkard for the District of Kansas. "What these hackers don't count on is the tenacity of the U.S. Justice Department in recovering and returning these funds to the rightful owners."
Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.