FBI recovers $500,000 paid to the North Korean ransomware hackers

Maui ransomware collected funds from healthcare organizations got seized by the Department of Justice

DoJ seizes around half a millionRansomware gang from North Korea attacked healthcare providers and reports from victims helped FBI to collect payments of close to half a million

The U.S Department of Justice announced the seizure of the Bitcoin funds from north Korean hackers responsible for the ransomware deployment. The sum of $500,000 in cryptocurrency was extorted from several organizations using the Maui ransomware virus.[1]

The particular Kansas hospital incident in May 2021 reports helped to discover this new strain of ransomware, and the cooperation between the victim and the security experts led to a full-on analysis of activities and the seizure of collected funds. Ransom demands were paid by healthcare providers in Kansas and Colorado, according to the DoJ report.[2]

North Korean hackers used a ransomware strain called Maui to encrypt the files and servers of a medical center in the District of Kansas. After more than a week of being unable to access encrypted servers, the Kansas hospital paid approximately $100,000 in Bitcoin to regain the use of their computers and equipment.

A few weeks back, Maui ransomware activities were reported by the CISA and FBI as an operation held by the North Korean-backed group.[3] These attacks against the healthcare and public health organizations show the selection of particular targets and how cyber threat infections can lead to life-threatening service outtakes.

The recovery of ransoms

The agency took control of two cryptocurrency accounts that were used to receive these particular ransom payments. The two payments from medical centers were identified, and other sums were from unidentified organizations. FBI tracked another payment of $120,000 from the medical provider in Colorado shortly after their takeover. Another sum of $280,000 got recovered in May 2022, and the total retrieval amounted to almost half a million USD.

The seizure is one of many ransom payment recovery procedures held by law enforcement over the past few years:

  • NetWalker affiliate payment seizure;[4]
  • The recovery of $4,400,000 Colonial Pipeline payment collected after the DarkSide ransomware attack;
  • Seizure of $6,000,000 from the REvil ransomware group partner Kasyea attack;
  • The recovery of $2,300,000 was collected from the REvil and GandCrab affiliate.

The amount recovered is not that significant when compared to other ransom payment recovery incidents this success shows that the early report can do major things for the ransomware attack recovery. Law enforcement can follow the money trail easier when the payment and the attack are fresh and still possibly ongoing.

Ransomware attacks not slowing down

Even though these ransom payments sometimes get recovered, and victims can get their funds back, and only happens with large targets and major companies that get ransomware attack strikes. For simple users, these ransom payment recoveries are very rare because to trace the money and analyze the ransomware strain, researchers need a lot of information and time.

Also, ransomware attacking simple everyday users and their machines spread quickly and can affect many devices at once. These common ransomware threats get developed and released constantly. There are prominent families like Djvu to Dharma, GandCrab, and Conti ransomware that create versions weekly/monthly. However, there are occasional new strains released.

These ransomware viruses get to employ affiliates that help with malware deployment and use hacker forums[5] for promotional purposes. Cybercriminals who create these file-locker malware pieces can make a profit from people who pay the demanded ransom directly, from double-extortion when victims do not pay, from hackers who pay for services or the code of the threat. It seems that ransomware has evolved but does not stop affecting devices and companies all over the world.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions