The Feds Recovered the Money Spent in the ‘Maui’ Ransomware Attacks
Marianne Kolbasuk McGee (HealthInfoSec) •
July 19, 2022
US Department of Justice recovered approximately $500,000 worth of illicit cryptocurrency from North Korean hackers who launched Maui ransomware attacks against at least two US medical facilities.
See also: On demand | Cat by the fire | Zero tolerance: control the landscape where you will meet your opponents
Deputy Attorney General Lisa Monaco during a speech at Fordham University today said the victims included a Kansas medical center and a Colorado medical provider.
Monaco’s disclosure comes about two weeks after the federal government warned the healthcare industry about attacks by North Korean state-sponsored groups involving Maui ransomware (see: Feds Warn Healthcare Industry About ‘Maui’ Ransomware Threats).
Maui ransomware gets its name from the name of the executable file used to maliciously encrypt victims’ files. North Korea is a well-known adept at ransomware, using it to harvest the money it spends to develop weapons of mass destruction. A 2019 United Nations panel estimated that cybercrime earned about $2 billion for the hereditary totalitarian monarchy of Pyongyang, an amount that has only increased since.
The healthcare industry is an attractive target for ransomware attackers given its reluctance to disrupt patient care. A recent investigation commissioned by cybersecurity firm Sophos found that healthcare ransomware attacks have skyrocketed over the past two years and that healthcare is the sector most likely to pay a ransom (see: Hackers claim to have stolen drug data as reports warn healthcare industry).
In last year’s attack on the Kansas Medical Center, North Korean cyber actors encrypted the hospital’s servers used to store critical data and operate critical equipment.
The attackers left behind a note demanding a ransom, and they threatened to double it within 48 hours, Monaco said.
“At that point, the hospital management was faced with an impossible choice: give in to the ransom demand or cripple the ability of doctors and nurses to provide intensive care. Without a real choice, the hospital management hospital paid the ransom,” she said.
But the hospital also notified the FBI, who worked with federal prosecutors to trace the ransom payment through the blockchain and identify the then-unknown Maui ransomware variant, she said.
FBI agents have identified China-based money launderers working to conceal the ransom payment.
Additional blockchain analysis found those same accounts contained other ransom payments, which the FBI traced to a medical provider in Colorado, as well as potential victims overseas, Monaco said. .
“We seized approximately $500,000 in ransom payments and cryptocurrency used to launder those payments,” she said. The recovery included all of the ransom paid by the Kansas Medical Center, as well as what federal authorities believe were ransoms paid by other victims, including the Colorado-based medical provider.
A good start
Some experts say the recovery by US authorities of money paid to nation-state-backed cyber extortionists is remarkable, but it is unlikely to make a significant difference overall.
“I don’t believe it will deter further attacks. The potential for an attack like this is too high, and for every crisis that follows an attack, there are dozens of attacks without [a clawback]”says Erick Galinkin, senior artificial intelligence researcher at security firm Rapid7.
“We need to have more consistent seizures, more consistent prosecutions, a stable security posture, and more victims who aren’t paying for attackers to decide that
cybercriminality does not pay,” he adds.
Still, it’s important to show state sponsors of the hack that the US government is “willing and able to defend American businesses that fall victim to cyberattacks,” retired FBI surveillance officer Jason G. Weiss says today. attorney at the law firm Faegre Drinker Biddle & Reath LLP.
Although the threat actors themselves have not yet been arrested or charged, this disclosure sends a message that the US government knows who these threat actors are and that they are not anonymous or above from being targeted by U.S. law enforcement, Weiss adds. “If they ever leave North Korea, they risk being arrested and extradited to the United States”