FBI seizes $500K cyber-ransom that medical centers paid to North Korean hackers

The FBI is targeting North Korean hackers that used ransomware to control computer files of medical centers in Kansas and Colorado, the federal agency announced this week.

Reporting the cyberattacks and working with law enforcement helped the FBI file a warrant to seize about $500,000, including the ransoms paid by the health care providers. The money will be returned to the health systems, according to the FBI.

The investigation involved a strain of ransomware known as “Maui.” Though it shares the name of an island of Hawaii, the software is used by hackers sponsored by North Korea and this month, the FBI, Cybersecurity and Infrastructure Agency (CISA) and the U.S. Department of Treasury issued a joint advisory identifying the ransomware threat.

“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui,’” Deputy Attorney General Lisa O. Monaco said in a news release issued by the FBI. Monaco also spoke at the International Conference on Cyber Security.

“Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain,” Monaco said. “The approach used in this case exemplifies how the Department of Justice is attacking malicious cyber activity from all angles to disrupt bad actors and prevent the next victim.”

How it happened

The FBI case summary cited federal court documents from the District of Kansas.

The case dates from May 2021, when North Korean hackers used a ransomware strain called Maui to encrypt the files and servers of a medical center in the District of Kansas.

“After more than a week of being unable to access encrypted servers, the Kansas hospital paid approximately $100,000 in Bitcoin to regain the use of their computers and equipment,” the case summary said. “Because the Kansas medical center notified the FBI and cooperated with law enforcement, the FBI was able to identify the never-before-seen North Korean ransomware and trace the cryptocurrency to China-based money launderers.”

In April 2022, the FBI observed a Bitcoin payment of about $120,000 into one of the seized cryptocurrency accounts identified due to the cooperation of the Kansas hospital.

“The FBI’s investigation confirmed that a medical provider in Colorado had just paid a ransom after being hacked by actors using the same Maui ransomware strain,” the FBI announcement said. “In May 2022, the FBI seized the contents of two cryptocurrency accounts that had received funds from the Kansas and Colorado health care providers. The District of Kansas then began proceedings to forfeit the hackers’ funds and return the stolen money to the victims.”

Beware Maui

The Maui ransomware encrypts servers responsible for services such as electronic health records, diagnostics, imaging and internal networks, sometimes causing disruptions for long periods, according to the cybersecurity advisory from July 6. The “initial access vector(s)” for the attacks is unknown, but the federal regulators expect more attacks.

The advisory included technical details about Maui encryption and recommendations to bolster cybersecurity for health care organizations.