The U.S. Department of Justice said on July 19 that it seized about $500,000 in cryptocurrency that two American medical centers had paid to North Korean state-backed hackers after a ransomware attack.
Deputy Attorney General Lisa Monaco said the seized funds include ransoms paid by health care providers in Kansas and Colorado in 2021 and 2022, according to a statement issued by the Justice Department.
According to court documents unsealed on July 19, the Kansas hospital paid the hackers about $100,000 in bitcoin after being unable to access encrypted servers for more than a week.
The hospital notified the FBI, which traced the payment and identified China-based money launderers who assisted North Korean state-sponsored hackers in converting the money.
The FBI also found that a medical provider in Colorado paid a ransom to the hackers, who used the Maui ransomware to encrypt the medical center’s servers. Authorities seized the contents of two cryptocurrency accounts following the investigation.
“Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain,” Monaco said.
The investigation led the FBI, Treasury Department, and Cybersecurity and Infrastructure Security Agency to issue a joint advisory on July 6 about “Maui” ransomware.
The agencies warned that hackers deployed Maui ransomware to encrypt servers responsible for health care services—including health records, medical imaging, and intranet systems—and demand ransom from the victims.
According to the advisory, Maui ransomware is operated manually by a remote actor using a “command-line interface” to interact with the malware and to identify files to encrypt.
U.S. authorities warned that paying a ransom does not ensure the recovery of files. Rather, it emboldens adversaries to target more organizations, encourages other criminal actors to distribute ransomware, and funds illicit activities.
“These sophisticated criminals are constantly pushing boundaries to search for ways to extort money from victims by forcing them to pay ransoms in order to regain control of their computer and record systems,” U.S. Attorney Duston J. Slinkard said in the Justice Department’s news release.
The U.S. government has blamed North Korea for a number of high-profile cyberattacks in recent years, including the multimillion-dollar cryptocurrency heist of Axie Infinity, a game in which players can earn cryptocurrency tokens.
The U.S. Intelligence Community said in its latest report (pdf) that cyber actors linked to North Korea have conducted “espionage efforts against a range of organizations, including media, academia, defense companies, and governments, in multiple countries.”
“We assess that North Korea continues to engage in illicit activities, including cyber theft and the export of UN-proscribed commodities to fund regime priorities, including [its weapons of mass destruction program],” the report stated.
The intelligence community warned that Pyongyang, the capital of North Korea, could have the expertise “to cause temporary, limited disruptions of some critical infrastructure networks and disrupt business networks in the United States.”
“Pyongyang is well positioned to conduct surprise cyber attacks given its stealth and history of bold action,” the report reads.