The Department of Justice (DoJ) on Tuesday said it disrupted the activities of a North Korean state-sponsored group, known for deploying the Maui ransomware, and seized $500,000 from the actors in May.
These seized funds included ransom payments made by two healthcare providers impacted by the Maui ransomware over the past year. A medical center in Kansas was hit by the Maui ransomware in May 2021 and paid a ransom of $100,000 in Bitcoin to attackers. After the unnamed Kansas-based medical center reported the incident to the FBI, U.S. authorities were able to identify the ransomware family and trace the cryptocurrency back to China-based money launderers.
In April 2022, the FBI became aware that a medical provider in Colorado was hit by the Maui ransomware after a $120,000 Bitcoin ransom payment was made into one of the seized cryptocurrency accounts. The ransom payments recovered by law enforcement will be returned to the victims.
“The approach used in this case exemplifies how the Department of Justice is attacking malicious cyber activity from all angles to disrupt bad actors and prevent the next victim,” said Deputy Attorney General Lisa Monaco at the International Conference on Cyber Security on Tuesday.
The disruption announcement clarifies a recent advisory in early July by the U.S. government where it warned that North Korean attackers were using the Maui ransomware family to target healthcare and public health organizations with manual intrusions. Maui is a relatively new ransomware strain, with the samples seen in intrusions being compiled in April 2021.
U.S. authorities have made some headway in their ability to track and seize illicit cryptocurrency funds from various cybercrimes. Just a month after the May 2021 Colonial Pipeline ransomware attack, the DoJ announced it had seized a large portion (63.7 bitcoins, valued at $2.3 million at the time) of the total ransom paid in the attack (75 bitcoins). In February, the DoJ seized $3.6 billion in Bitcoin connected to the 2016 Bitfinex hack - the largest recovery of stolen assets in cryptocurrency ever. Overall, the Internal Revenue Service’s criminal investigation unit seized $3.5 billion in cryptocurrency during fiscal 2021.
The DoJ stressed that the seizure and disruption would not have been possible without the Kansas-based medical facility stepping up to report the ransomware attack. Government officials have previously cited concerns about a lack of consistent ransomware incident reporting by businesses, despite recent legislative efforts in this area including the Strengthening American Cybersecurity Act, which gives critical infrastructure entities a 72-hour reporting deadline to notify the Cybersecurity and Infrastructure Security Agency (CISA) after experiencing a cyberattack.
“Because of swift reporting by the victim medical center, action was taken to lessen the loss to the victim company, as well as identify the malware deployed, preventing additional cyber-attacks,” said Special Agent in Charge Charles Dayoub of the FBI Kansas City Field Division in a statement. “The relationship between the FBI and our private sector partners are critical to discover, disrupt and dismantle cyber threats to our nation’s infrastructure.”