The US Department of Justice (DOJ) has managed to seize $715,000 ($US500,000) in Bitcoin from North Korean ransomware actors, marking a rare and significant victory against rampant cryptocurrency-driven ransom attacks.
The funds were stolen in a series of attacks against US healthcare providers, using a new strain of ransomware called Maui to leverage funds from several hospitals and medical facilities.
Deputy Attorney General Lisa Monaco addressed the matter at a recent cyber security conference, stating that the FBI and Justice Department "traced the ransom payment through the blockchain."
From here, they followed the ransom through a series of crypto breadcrumbs that led to China-based money launderers.
The DOJ reports to have already returned a significant portion of the stolen funds to two hospital groups victimised by the attacks.
Maui ransomware infects hospital
According to court documents, North Korean hackers used the ransomware strain, Maui, to encrypt the files and servers of a Kansas-based medical centre.
The Maui ransomware infection left staff locked out of the encrypted servers for more than a week.
In the meantime, the hackers left a note demanding a bitcoin ransom worth $143,000 ($US100,000), threatening to double it if left unpaid after 48 hours.
This placed Kansas hospital staff in a difficult situation – either pay out a criminal ransom, or significantly hinder the hospital's ability to deliver critical health care.
The hospital opted to hand over the $143,000 ransom.
While this decision contradicts the FBI's advice to avoid paying ransoms (on account of the fact that doing so encourages further attacks, and does not guarantee a safe restoration of data or compromised systems), the hospital quickly made a report to the FBI detailing the incident and subsequent ransom payout.
Monaco offered high praise for the Kansas-based hospitals' rapid reporting and cooperation, stating, "Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain."
Tracing the ransom
Once the FBI was made aware of the incident, it was able to identify the Maui strain of ransomware and trace the $143,000 in Bitcoin to a collection of money launderers known for the conversion of cryptocurrency to fiat.
From there, the FBI snuffed out a further $171,000 ($120,000 USD) payment linked to one of the seized cryptocurrency accounts.
This payment was later connected to a medical provider in Colorado that had just paid a ransom involving the same strain of Maui ransomware.
In May 2022, the FBI successfully seized funds from two cryptocurrency accounts that had extorted payments out of the Kansas and Colorado health care providers.
Cryptocurrency, by design, is extremely difficult to track and reclaim, which is why cyber criminals have taken to cryptocurrencies, such as Bitcoin, as their preferred finance in ransomware attacks.
Typically, a cryptocurrency will require access to elusive private keys before it can be transferred, such was the case when the FBI seized a sizable portion of the Bitcoin ransom tied to the Colonial Pipeline attack from 2021.
While the DOJ has not entirely disclosed its methods for reclaiming the extorted funds of these recent Maui attacks, the consensus among cyber security experts is that the payments were traceable after attackers tried to cash out the ransoms into fiat currency.
The remainder of the $500,000 in seized funds are from a range of healthcare providers the DOJ did not disclose.
North Korea ramps up hacks
North Korea has been frequently accused of both state-sponsored cyberattacks as well as commonplace cyber scams for years now.
In 2021, a report revealed that North Korean cyber criminals had procured approximately $572 million ($US400 million) in digital assets.
The FBI, in cooperation with the Cybersecurity and Infrastructure Security Agency and the Department of Treasury, issued a joint cybersecurity advisory regarding the North Korean threat to US health care, offering insights and mitigation advice from prior investigations.
Monaco further emphasised that in combating ransom attacks, public and private sector organisations will need to join forces, stating, "The key to our ability to take disruptive action is to work together."
"If you report that attack, if you report the ransom demand and payment, if you work with the FBI, we can take action; we can follow the money and get it back; we can help prevent the next attack, the next victim; and we can hold cybercriminals accountable," she added.