The US authorities have managed to return half a million dollars to several corporate victims, including healthcare providers forced to pay up after being infected by a new ransomware strain.
North Korean actors are thought to be behind the Maui variant, which was used to target US healthcare organizations (HCOs) since at least May 2021.
The US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory detailing the threat earlier this month.
However, in an update yesterday, the Department of Justice (DoJ) revealed that DoJ and FBI investigators had been able to track, seize and return two ransom payments made by HCOs in Kansas and Colorado.
The unnamed Kansas provider was attacked in May 2021 and, after over a week without server access, decided to pay the threat actors $100,000 for a decryption key.
Because the HCO contacted the FBI immediately, the FBI was able to identify the new ransomware strain and trace the Bitcoin payment to China-based money launderers, according to the DoJ.
Blockchain analysis of those Bitcoin accounts revealed that other payments had been made by corporate ransomware victims, including a sum of $120,000 linked to the Colorado-based HCO almost a year later, in April 2022.
The following month, the DoJ seized the cryptocurrency accounts linked to the money launderers and was able to retrieve a total of $500,000 in payments to the two HCOs and other victims.
“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as Maui,” said deputy attorney general Lisa Monaco.
“Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain. The approach used in this case exemplifies how the DoJ is attacking malicious cyber activity from all angles to disrupt bad actors and prevent the next victim.”
However, bracket f CEO, Tim Kosiba, urged healthcare providers to stay alert to the threat.
“We must continue to be vigilant in our defense and not pay these ransoms. It is time that we impose costs on criminals that continue to threaten the healthcare service providers that do so much to keep our citizens safe and healthy,” he added.
“This activity will not stop until we do, while the FBI and our law enforcement partners do what they can to recover ransoms that have been paid.”