The Department of Justice says that it has seized approximately $500,000 in ransom payments made by a Kansas medical facility to a North Korean ransomware gang called “Maui” last year. The money included the payments themselves along with cryptocurrency that the criminals were using to launder the hospital’s cash.
The operation was revealed in a speech given by Deputy Attorney General Lisa O. Monaco at the International Conference on Cyber Security at Fordham University on Tuesday. The speech coincided with the release of the DOJ’s Comprehensive Cyber Review, an 81-page report that outlines its current strategy towards combatting cyber threats.
“Last year, a medical center in Kansas experienced the dread that faces too many critical infrastructure operators. North Korean state-sponsored cyber actors encrypted the hospital’s servers – servers being used to store critical data and to operate key equipment,” Monaco said. “The attackers left behind a note demanding ransom, and they threatened to double it within 48 hours. In that moment, the hospital’s leadership faced an impossible choice – give in to the ransom demand or cripple the ability of doctors and nurses to provide critical care.”
The facility ultimately paid the attackers but also notified the FBI, which allowed authorities to begin an investigation that ultimately resulted in a recovery of the money, Monaco said.
“Following the crypto-breadcrumbs, the FBI identified China-based money launderers — the type who regularly assist the North Koreans in ‘cashing out’ ransom payments into fiat currency,” said Monaco. “Additional blockchain analysis revealed that these same accounts contained other ransom payments. The FBI traced those to another medical provider in Colorado and potential overseas victims.”
The emergence of blockchain analysis tools of the kind used in this investigation have been immensely helpful to authorities combatting cybercrime. While the supposed anonymity of cryptocurrencies has given rise to a booming ransomware industry, tools like those sold by firms like Chainalysis have helped to unmask that industry — allowing authorities to scan the public blockchain and piece together the activities of its less savory users.
Authorities generally suggest that ransomware victims refuse payment—as it isn’t a surefire way to get your data back. Decryption keys provided by ransomware gangs don’t always work so well—and, once a criminal has your money, there isn’t much incentive for them to help you out, either.