RANSOMWAREU.S. Disrupts North Korea Ransomware Group, Recovers Nearly Half a Million
U.S. law enforcement authorities have disrupted a group of North Korean hackers, recovering nearly half a million dollars in ransom payments it received from a Kansas hospital, a Colorado health care provider and other victims. The North Korea state-sponsored cybercriminals encrypted the Kansas hospital’s servers in May 2021, demanding ransom in exchange for regaining access to its critical computer networks.
U.S. law enforcement authorities have disrupted a group of North Korean hackers, recovering nearly half a million dollars in ransom payments it received from a Kansas hospital, a Colorado health care provider and other victims,U.S. Deputy Attorney General Lisa Monaco said on Tuesday.
Using a previously unknown type of malware known as “Maui,” the North Korea state-sponsored cybercriminals encrypted the Kansas hospital’s servers in May 2021, demanding ransom in exchange for regaining access to its critical computer networks, Monaco said at a cybersecurity conference in New York
“In that moment, the hospital’s leadership faced an impossible choice: Give in to the ransom demand or cripple the ability of doctors and nurses to provide critical care,” Monaco said, without revealing the hospital’s name.
To regain the use of its computers and equipment, the hospital paid $100,000 in Bitcoins but also alerted the FBI, allowing federal investigators to trace the payment throughout the cryptocurrency ledger known as blockchain and identifying China-based money launderers that helped North Korean cybercriminals “cash out” ransom payments.
Through its investigation, the FBI then found the Colorado hospital had paid $120,000 in Bitcoins into one of the North Korean group’s seized cryptocurrency accounts after being hacked by the hackers.
Monaco said the Justice Department is returning the stolen funds to the victims. The operation took place several weeks ago, she said.
The disclosure came after the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Treasury Department cautioned U.S. medical providers about the Maui ransomware earlier this month, warning victims that paying ransom would violate U.S. sanctions against North Korea.
Monaco praised the hospital for alerting the FBI.
“What flowed from that virtuous decision was the recovery of their ransom payment, the recovery of ransoms paid by previously unknown victims, (and) the identification of a previously unidentified ransomware strain,” she said.
In a ransomware attack, hackers lock a company’s data, offering keys to unlock the files in exchange for a large sum of money.
In recent years, ransomware attacks have grown in frequency, with cybercriminals attacking schools, hospitals and local governments, among other victims.
To combat the growing threat, the Justice Department last year launched the Ransomware and Digital Extortion Task Force and the National Cryptocurrency Enforcement Team.
The FBI has long encouraged victims of ransomware to alert authorities instead of caving into cybercriminals’ demands. But a recent survey found that nearly half of organizations targeted in a ransomware attack last year made a payment to regain their data.
Even so, reporting a ransomware attack allows the FBI the opportunity to recover funds.
Last year after Colonial Pipeline paid hackers $4.4 million to regain access to critical data following a ransomware attack, the FBI recovered almost half of the payment.
Masood Farivar covers the Justice Department and the FBI for Voice of America. The article is published courtesy of the Voice of America (VOA).
