The US Department of Justice has seized $500,000 (£417,000) worth of Bitcoin from suspected North Korean hackers.
The hackers targeted healthcare providers with a new breed of ransomware and extorted funds from several organizations.
US authorities say they have already returned ransom payments to two hospital groups.
The rare successful seizure comes as US authorities warn that North Korea is becoming a major ransomware threat.
At a conference Tuesday, Assistant Attorney General Lisa O. Monaco praised an unnamed Kansas hospital for alerting the FBI to the ransomware attack early on.
“Not only did this allow us to recover their ransom payment, as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain,” she said.
According to court documents, in May 2021, hackers used the Maui ransomware strain to encrypt the files and servers of a medical center in Kansas.
Typically, ransomware hackers use malicious software to encrypt data or lock users out of the system until a ransom is paid.
The Kansas hospital was unable to access its IT systems for a week, then decided to pay about $100,000 in bitcoin to regain use of its computers and equipment.
It is not illegal to pay ransom to hackers, but it is discouraged by law enforcement agencies around the world.
- N-Korean hackers stole $400 million worth of crypto in 2021, report
- The Lazarus Raid: How Hackers Tried to Steal $1 Billion
The FBI said it was quickly notified of the medical center’s payment, meaning officials were able to identify the never-before-seen North Korea-related ransomware and trace the cryptocurrency to China-based money launderers.
The agents were also able to identify another $120,000 Bitcoin payment made into one of the criminal cryptocurrency accounts. It turned out to be a medical provider in Colorado who had just paid a ransom after also being hacked by the Maui ransomware criminals.
The FBI says it returned the money to the two health care providers but didn’t say where the rest of the funds seized came from.
It’s not known how the FBI was able to seize the funds, but Tom Robinson, founder and chief scientist at Elliptic, which analyzes bitcoin payments, told the BBC the seizure may have come about as the hackers attempted to convert their bitcoin into traditional currency to exchange
“It is likely that investigators were able to trace the cryptocurrency back to an exchange platform where the money launderers would have sent the funds for withdrawal. Exchanges are regulated entities and can seize their customers’ funds if compelled to do so by law enforcement,” he said.
“Another possibility is that the cryptocurrency was seized directly from the money launderers’ own wallets. This is more difficult as it would require access to the wallet’s private key – a passcode that allows cryptocurrency in a wallet to be accessed and moved.”
US authorities are increasingly using new tactics to steal back funds extorted from cybercriminals operating in jurisdictions such as North Korea and Russia, where law enforcement agencies do not cooperate with Western requests for assistance.
“These seizures are still very rare, and it underscores the value of reporting cyber extortion incidents quickly and working with law enforcement,” says Jen Ellis of cyber security firm Rapid7.
“They won’t always be able to recover payment, but the more information they have about attacker groups’ tactics, techniques, and procedures, the more likely they are to be able to interrupt, deter, and respond to attacks.” which benefits everyone.”
Last June, the US recovered most of the $4.4 million ransom paid by Colonial Pipeline to a cybercriminal gang believed to be based in Russia.
In November 2021, the US also recovered $6 million from another ransomware gang called REvil with strong ties to Russia.
Alongside traditional state espionage elements, North Korea has for many years been accused of directing hacks aimed at making money for the pariah state.
North Korean hacking activities are often attributed to the so-called Lazarus group of hackers, who have been accused of trying to take $1 billion from a Bangladeshi bank in 2016.
Last year, the group was linked to lucrative attacks on cryptocurrency platforms, but last month US cyber authorities issued a warning that North Korean hackers were launching ransomware attacks on US hospitals.
Authorities have not provided any evidence that North Korea was behind the attacks, but the Cybersecurity Advisory’s joint assessment of the Maui ransomware found that it “has been used by North Korean state-sponsored cyber actors to target healthcare organizations since at least May 2021.” “
Add Comment