The US Department of Justice has announced that it is able to reverse ransomware payments paid by medical companies in Kansas and Colorado.
The US Department of Justice has announced a lawsuit filed in the Kansas District to confiscate ransom-paid cryptocurrency from hackers believed to be close to North Korea. The funds seized amount to half a million US dollars. The money would come from medical providers based in Kansas and Colorado.
Thanks to a victim’s prompt reporting and cooperation, FBI and Justice Department prosecutors disrupted the activities of a North Korean state-sponsored group. Ransomware is known as Maui.
This hack code appeared in 2021. Unlike the ransomware we usually see, Maui was never sold or offered to affiliates as a ransomware-as-a-service (RaaS) tool. It is developed and used privately. This is why experts believe that it is supported by a state.
North Korea behind the attacks
According to court documents, in May 2021, North Korean hackers used a strain of this ransomware Maui to encrypt files and servers at a Kansas district medical center. After more than a week of lockdown, the Kansas hospital paid around $100,000 in Bitcoin to regain use of its computers and equipment. Kansas Medical Center informed the FBI and cooperated with law enforcement, the Federal Investigation Agency was able to identify the North Korean ransomware and trace the cryptocurrency to the money launderers. The washing machine was based in China.
follow the money
In April 2022, the FBI observed a payout of approximately $120,000 in Bitcoin to one of the seized cryptocurrency accounts identified through cooperation with Kansas Hospital. The following investigation confirmed that a Colorado medical provider had just paid a ransom after being hacked, again by Maui ransomware. In May 2022, the FBI seized the contents of two cryptocurrency accounts that had received funds from healthcare providers. The Kansas District then began proceedings to confiscate the hackers’ funds and return the stolen money to the victims.
The recovered money is reminiscent of the most famous case in this subject: Colonial Pipeline. Another recovery, that of the University of Maastricht in the Netherlands. A cyberattack, in December 2019, and a ransom of 197,000 euros in Bitcoin. Part of this ransom was recovered in 2020. The launderer was based in Ukraine. At the time, the price of Bitcoin had exploded and the university had recovered $500,000.
These few cases are rare. They only happen on rare occasions. It remains obvious to refrain from paying ransoms. This does not guarantee that you will recover your data, nor does it free you from recovery costs (hardening your system, insurance, storages, etc.), and it marks you as a target of repeated attacks as we have seen with a large toymaker, in December 2022.