DOJ Seizes $500,000 From North Korean Attacks on HealthcareFeds Clawed Back Money Paid in 'Maui' Ransomware Assaults
The U.S. Department of Justice clawed back about $500,000 worth of illicit cryptocurrency from North Korean hackers who launched Maui ransomware assaults on at least two U.S. medical facilities.
Deputy Attorney General Lisa Monaco during a speech at Fordham University today said the victims include a Kansas medical center and a Colorado medical provider.
Monaco's disclosure comes about two weeks after the federal government warned the healthcare sector of attacks by North Korean state-sponsored groups involving Maui ransomware (see: Feds Warn Healthcare Sector of 'Maui' Ransomware Threats).
Maui ransomware gets its name from the name of the executable file used to maliciously encrypt victims' files. North Korea is a well-known ransomware enthusiast, using it to harvest cash it spends on developing weapons of mass destruction. A 2019 United Nations panel estimated cybercrime netted the hereditary totalitarian monarchy in Pyongyang about $2 billion, an amount that has only since grown.
The healthcare sector is an appealing target for ransomware attackers given its reluctance to disrupt patient care. A recent survey commissioned by cybersecurity firm Sophos found that healthcare ransomware attacks have soared over the past two years and that healthcare is the sector most likely to pay a ransom (see: Hackers Claim Drug Data Theft as Reports Warn Health Sector).
In the attack last year on the Kansas medical center, North Korean cyber actors encrypted the hospital's servers used to store critical data and operate critical equipment.
Attackers left behind a note demanding ransom, and they threatened to double it within 48 hours, Monaco said.
"In that moment, the hospital's leadership faced an impossible choice: Give in to the ransom demand or cripple the ability of doctors and nurses to provide critical care. Left with no real choice, the hospital's leadership paid the ransom," she said.
But the hospital also notified the FBI, which worked with federal prosecutors to trace the ransom payment through the blockchain and identify the then-unknown Maui ransomware variant, she said.
FBI agents identified China-based money launderers working to obfuscate the ransom payment.
Additional blockchain analysis found that these same accounts contained other ransom payments, which the FBI traced to a medical provider in Colorado, as well as to potential overseas victims, Monaco said.
"We seized approximately $500,000 in ransom payments and cryptocurrency used to launder those payments," she said. The recovery included all the ransom paid by the Kansas medical center, plus what federal authorities believe are ransoms paid by other victims, including the Colorado-based medical provider.
A Good Start
Some experts say the clawback by U.S. authorities of money paid to nation-state-backed cyber extortionists is noteworthy, but it will not likely make a significant difference in the bigger picture.
"I don't believe it will deter other attacks. The potential upside from an attack like this is too high, and for every seizure that follows an attack, there are dozens of attacks without [a clawback]," says Erick Galinkin, a principal artificial intelligence researcher at security firm Rapid7.
"We need to have more consistent seizure, more consistent prosecution, a steady security posture, and more victims who don't pay for attackers to decide that cybercrime doesn't pay," he adds.
Still, it's important to show state sponsors of hacking that the American government is "willing and able to defend U.S businesses that are victims of cyberattacks," says retired supervisory FBI agent Jason G. Weiss, now an attorney at law firm Faegre Drinker Biddle & Reath LLP.
While the threat actors themselves have not yet been arrested or indicted, this disclosure sends a message that the U.S government knows who these threat actors are and that they are not anonymous or above being targeted by U.S law enforcement agencies, Weiss adds. "If they ever leave North Korea, then they risk arrest and extradition to the U.S."