The Justice Department today announced a complaint filed in the District of Kansas to forfeit cryptocurrency paid as ransom to North Korean hackers or otherwise used to launder such ransom payments. The seized funds amounting to half a million US dollars, include ransoms paid by health care providers in Kansas and Colorado.
Deputy Attorney General Lisa O. Monaco said at the International Conference on Cyber Security:
“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui.’”
Malwarebytes recently reported on the North Korean APT that targets US healthcare sector with Maui ransomware. The FBI started responding to incidents involving Maui in May 2021. Unlike the ransomware we usually see that plagues organizations and regularly hits the news, Maui is never sold or offered to affiliates as a ransomware-as-a-service (RaaS) tool. It is, instead, developed and used privately for state-backed actors.
New at the time
According to court documents, in May 2021, North Korean hackers used a ransomware strain called Ransom.Maui to encrypt the files and servers of a medical center in the District of Kansas. After more than a week of being unable to access encrypted servers, the Kansas hospital paid approximately $100,000 in Bitcoin to regain the use of its computers and equipment. Because the Kansas medical center notified the FBI and cooperated with law enforcement, the FBI was able to identify the never-before-seen North Korean ransomware and trace the cryptocurrency to China-based money launderers.
Follow the money
In April 2022, the FBI observed a payment of approximately $120,000 in Bitcoin into one of the seized cryptocurrency accounts identified thanks to the cooperation of the Kansas hospital. The following investigation confirmed that a medical provider in Colorado had just paid a ransom after being hacked by actors using the same Maui ransomware strain. In May 2022, the FBI seized the contents of two cryptocurrency accounts that had received funds from the Kansas and Colorado health care providers. The District of Kansas then began proceedings to forfeit the hackers’ funds and return the stolen money to the victims.
Not the first time
We’ve seen ransomware recoveries in the past and we hope to see many more in the future. The most well known and probably one of the first was when the US Department of Justice recovered much of the ransomware payment that Colonial Pipeline paid to free itself from the attack that derailed the oil and gas supplier’s operations for several days.
Another example: The University of Maastricht in the Netherlands was hit by ransomware in December 2019 and paid a ransom of 197,000 Euro in Bitcoin. A part of this ransom was recovered in 2020 from a laundering operation in Ukraine. Due to the difference in Bitcoin prices, the University received a return payment of 500,000 Euro. The “profit” will be donated to disadvantaged students.
Even though ransom recovery is a good thing, it only happens on rare occasions and the general advice is to refrain from paying ransoms. It doesn’t guarantee you will get your data back, nor does it free you from recovery costs (because you still have to harden your system against the next attack), and it marks you as a target for repeat attacks.
Although Maui may be a little different from run-of-the-mill ransomware, the steps to protect against it are not:
- Maintain offsite, offline backups of data and test them regularly.
- Create a cybersecurity response plan.
- Keep operating systems, applications, and firmware up to date.
- Disable or harden remote desktop protocol (RDP).
- Require multi-factor authentication (MFA) for as many services as possible.
- Require administrator credentials to install software.
- Report ransomware incidents to your local FBI field office.
Stay safe, everyone!