Washington DC (29/07 – 45.45) The Department of Justice has revealed that it successfully seized a $500,000 ransom payment that a hospital paid in Kansas to a North Korea-based hacking and ransomware gang.
Deputy Attorney General Lisa O. Monaco revealed the operation in a speech delivered on Tuesday, as she spoke at the International Conference on Cyber Security (ICCS) in New York.
“Today, I’m pleased to announce that this approach has produced real results again – thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui.’ That ransomware targeted U.S. medical facilities and other public health sector organizations,” Monaco announced in the address.
“Last year, a medical center in Kansas experienced the dread that faces too many critical infrastructure operators. North Korean state-sponsored cyber actors encrypted the hospital’s servers – servers being used to store critical data and to operate key equipment. The attackers left behind a note demanding ransom, and they threatened to double it within 48 hours. In that moment, the hospital’s leadership faced an impossible choice – give in to the ransom demand or cripple the ability of doctors and nurses to provide critical care,” she added in the speech.
“Left with no real choice, the hospital’s leadership paid the ransom. But they also notified the FBI, which was the right thing to do for themselves and for future victims.”
Monaco noted that the hack was a ransomware variant that had never been seen before. Through blockchain investigation, the FBI was able to track down “China-based money launderers.” The FBI recovered $500,000 of the ransom payments from those launderers.
On July 6, the FBI, CISA, and Department of Treasury issued an alert about Maui ransomware.
“Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations,” that alert said. “North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services. In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods. The initial access vector(s) for these incidents is unknown.”
Monaco also talked about the lessons from the episode.
“But the reality is – as every single person in this room knows – we live in a world where it is impossible to disrupt all malicious cyber activity,” she said.
“So we are also doing all we can to leverage our investigations to mitigate the harm to innocent victims, often with the help of the private sector.”