Feds disrupt North Korean hackers that targeted hospitals, seize $500K in ransom

The U.S. government disrupted the activities of a ransomware group connected to the North Korean government that targeted hospitals, ultimately recovering half a million dollars in ransom paid by a Kansas hospital and other medical facilities.

Authorities plan to return the stolen funds to the ransomware victims, including a hospital in Kansas and a medical center in Colorado, said Deputy Attorney General Lisa Monaco Tuesday.

Speaking at the International Conference on Cyber Security at Fordham University this week, Monaco said last year a medical center in Kansas that was targeted by hackers "did the right thing" at a moment of crisis and called the FBI.

"What flowed from that virtuous decision was: the recovery of their ransom payment; the recovery of ransoms paid by previously unknown victims; the identification of a previously unidentified ransomware strain—all from an investigation that allowed the FBI and its partners to release a cybersecurity advisory to empower network defenders everywhere," Monaco said.

In May 2021, North Korean state-sponsored hackers used a ransomware strain called Maui to encrypt the files and servers of a medical center in Kansas. 

The attackers left behind a note demanding ransom, and they threatened to double it within 48 hours, Monaco said. After more than a week of being unable to access encrypted servers, the Kansas hospital paid approximately $100,000 in Bitcoin to regain the use of their computers and equipment, the Department of Justice (DOJ) reported Tuesday.

The hospital contacted the FBI. Working with the DOJ, the agencies then worked to identify a "never-before-seen" ransomware variant and traced the ransom payment through the blockchain.

"Following the crypto-breadcrumbs, the FBI identified China-based money launderers—the type who regularly assist North Koreans in 'cashing out' ransom payments into fiat currency. Additional blockchain analysis revealed that these same accounts contained other ransom payments. The FBI traced those to another medical provider in Colorado and potential overseas victims," Monaco said.

In April 2022, the FBI observed an approximately $120,000 Bitcoin payment into one of the seized cryptocurrency accounts identified as a result of the cooperation of the Kansas hospital. The FBI’s investigation confirmed that a medical provider in Colorado paid a ransom after being hacked by actors using the same Maui ransomware strain, the DOJ reported.

Two months ago, in May, the FBI seized the contents of two cryptocurrency accounts that had received funds from the Kansas and Colorado healthcare providers. The District of Kansas then began proceedings to forfeit the hackers’ funds and return the stolen money to the victims.

"Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business," said Assistant Attorney General Matthew G. Olsen of the DOJ’s National Security Division. "The reimbursement to these victims of the ransom shows why it pays to work with law enforcement."

Based on information obtained during the investigation, the FBI, the Cybersecurity and Infrastructure Security Agency and the Department of the Treasury issued a warning earlier this month that hackers sponsored by North Korea's government have been using the Maui ransomware to target healthcare and public health services providers.

"Efforts like this are prime examples of public-private partnerships at their most effective and what the future of cyber looks like. It is not enough to engage in after-the-fact prosecutions of hackers—that’s a lot for a federal prosecutor to say—but an increasing number of whom are working from safe havens abroad," Monaco said during her speech Tuesday. "With help from our partners, we can disrupt and dismantle the networks and capabilities before cybercriminals and state-sponsored hackers compromise their next victim."