U.S. law enforcement authorities said on Tuesday that they have seized nearly half a million dollars in cryptocurrency that was paid as ransom to alleged North Korean hackers and their accomplices by two U.S. hospitals and other victims.
The seizure, made in May, comes as the Biden administration steps up its efforts to disrupt cybercriminals that increasingly target critical U.S. infrastructure, such as hospitals and energy companies, for ransom.
Deputy Attorney General Lisa Monaco, who leads the Justice Department's agencywide efforts to combat cyberthreats, announced the seizure at a cybersecurity conference in New York.
"Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as 'Maui,'" Monaco said.
The hackers, she said, used a strain of malware known as Maui to encrypt a Kansas-based hospital's servers and files, demanding a ransom payment in exchange for the key to unlock the data. The attack took place in May 2021, and the cybercriminals threatened to double the ransom amount within 48 hours, according to court documents unsealed Tuesday.
"In that moment, the hospital's leadership faced an impossible choice: Give in to the ransom demand or cripple the ability of doctors and nurses to provide critical care," Monaco said.
After failing to regain access to their servers for more than a week, the hospital paid the hackers about $100,000 in Bitcoin. But the medical center also notified the FBI, allowing federal investigators to identify the malware and trace this and other ransom payments to Chinese money launderers that help North Korean cybercriminals convert cryptocurrency into fiat currency, the Justice Department said.
"Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain," Monaco said.
One previously unknown victim was a Colorado-based hospital, according to court documents. The unidentified hospital made a ransom payment of about $120,000 into one of the cybercriminals' two cryptocurrency accounts in April 2022, court documents show.
The following month, the FBI seized the contents of the two accounts. Officials did not identify the other victims but said they've begun legal proceedings to forfeit the funds and return the money to the victim organizations.
"Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business," Assistant Attorney General Matthew G. Olsen of the Justice Department's National Security Division said in a statement. "The reimbursement to these victims of the ransom shows why it pays to work with law enforcement."
North Korea and China have long denied any involvement in ransomware attacks against U.S. companies and organizations.
The investigation into the ransom payments led the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Treasury Department to issue an alert about the Maui ransomware earlier this month. The agencies warned potential victims that paying ransom would violate U.S. sanctions and urged them to report any attacks to the FBI.
Monaco praised the Kansas hospital for alerting the FBI.
"What flowed from that virtuous decision was the recovery of their ransom payment, the recovery of ransoms paid by previously unknown victims, (and) the identification of a previously unidentified ransomware strain," she said.
In a ransomware attack, hackers lock a company's data, offering keys to unlock the files in exchange for a large sum of money.
In recent years, ransomware attacks have grown in frequency, with cybercriminals attacking schools, hospitals and local governments, among other victims.
In its latest annual threat assessment, the U.S. intelligence community warned in February that cyber criminals "are increasing the number, scale, and sophistication of ransomware attacks, fueling a virtual ecosystem that threatens to cause greater disruptions of critical services worldwide.
"These criminals are driven by the promise of large profits, reliable safe havens from which to operate, and a decreasing technical barrier to entry for new actors," the report said.
To combat the growing threat, the Justice Department last year launched the Ransomware and Digital Extortion Task Force and the National Cryptocurrency Enforcement Team.
The FBI has long encouraged victims of ransomware to alert authorities instead of caving into cybercriminals’ demands. But a recent survey found that nearly half of organizations targeted in a ransomware attack last year made a payment to regain their data.
Even so, reporting a ransomware attack allows the FBI the opportunity to recover funds.
Last year after Colonial Pipeline paid hackers $4.4 million to regain access to critical data following a ransomware attack, the FBI recovered almost half of the payment.