U.S. recovers $500,000 stolen by North Korean hackers who targeted U.S. providers.
The U.S. Justice Department has seized approximately half a million dollars in cryptocurrency paid in ransom to North Korean government-backed hackers by two healthcare organizations and other victims.
Using a ransomware strain called Maui, the hackers encrypted the files and servers of an unnamed medical center in Kansas in May 2021 for one week until the hospital paid approximately $100,000 in Bitcoin to regain use of its computers and equipment.
The hospital notified the FBI, which was able to trace the stolen funds to money launderers in China, according to a complaint filed by the Justice Department in the District of Kansas. “Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain,” said Deputy Attorney General Lisa Monaco on July 19 at the International Conference on Cyber Security.
The malware encrypted servers connected to EHRs, as well as diagnostic, imaging and intranet services, and in some cases disrupted operations for “prolonged periods,” according to a public advisory issued by the FBI and other U.S. agencies.
The FBI again observed the Maui strain in April 2022 when it found a Bitcoin payment of approximately $120,000 made to one of the seized cryptocurrency accounts. It identified the sender as a provider in Colorado that was hacked, and seized the contents of the two cryptocurrency accounts with the funds from both providers. It then began proceedings to forfeit the hackers’ funds and return the stolen money to the victims.
In their advisory, the FBI, the Cybersecurity and Infrastructure Security Agency and the Department of the Treasury recommend that providers limit data access by authenticating system and device connections; turn off and set strong passwords and encryption for network device management interfaces; implement HIPAA security measures to secure PII and PHI; and create and regularly review internal policies around access to PII and PHI.
They also suggest having offline, encrypted data backups, as well as an incident response plan in place. “The relationship between the FBI and our private sector partners is critical to discover, disrupt and dismantle cyber threats to our nation’s infrastructure,” said Special Agent in Charge Charles Dayoub, of the FBI Kansas City Field Division.