$500,000 Ransom Payment Seized by the Department of Justice

The U.S Department of Justice made an announcement that it seized approximately $500,000 in Bitcoin from North Korean threat actors that used the Maui ransomware to attack healthcare companies in the U.S.A.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recently released a security advisory about North Korean attackers using the Maui ransomware to target the healthcare and public health industry in the United States beginning May 2021. The attacks resulted in substantial interruption to IT systems and health care services and have affected patient safety.

The new ransomware variant was identified while checking a ransomware attack on a hospital based in Kansas last May 2021. The attack was traced to a North Korean hacking group that is known to have state support. The servers of Kansas hospital were encrypted, blocking access to important IT systems for over one week. The hospital paid $100,000 as a ransom for the keys to decrypt files and the restoration of servers’ access. It immediately informed the FBI regarding the attack and payment. The FBI had traced the payment to money launderers in China, together with one more payment of around $120,000 given by a Colorado-based healthcare company.

In May 2022, the FBI submitted a seizure warrant in the District of Kansas to retrieve the cryptocurrency payment made to the Maui ransomware group. Ransom payments of roughly $500,000 were retrieved from the seized cryptocurrency accounts and returned to the healthcare companies in Colorado and Kansas.

Because of the speedy reporting by the victim, the FBI and the Justice Department prosecutors have upset the work of the North Korean state-sponsored gang identified to use the Maui ransomware. This enabled the recovery of ransom payments of current and previous victims and the identification of a formerly unidentified ransomware strain. The strategy employed in this case demonstrates how the Department of Justice is fighting malicious cyber activity from all sides to break up bad actors and prevent another victim.

Microsoft has additionally just reported that a North Korean hacking gang known as HolyGhost is performing ransomware attacks on SMBs in the U.S. It isn’t certain if the attacks are being done by a state-sponsored hacking gang or if individuals linked to the Lazarus Group are executing the attacks on its own.

The accomplishment, in this case, shows the importance that cyberattack victims should report the incident to the FBI as soon as possible; this allows law enforcement to assist the victims in the best way possible. The FBI is determined to go after these malicious cyber actors, like these North Korean hackers, who endanger the American public irrespective of where they are and work to effectively get back ransom payments wherever possible.

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.