Skip links

DoJ, FBI recover $500,000 in ransomware payments to Maui gang

Federal law enforcement officials this week said they seized about $500,000 that healthcare facilities in the United States paid to the Maui ransomware group.

Maui is a state-sponsored gang linked to the North Korean government that has been targeting health organizations for the past year.

The Department of Justice (DoJ) and FBI recovered the money and seized the Bitcoin used to launder it following an investigation after one of the victims, a medical center in Kansas that paid a ransom after being attacked in May 2021, contacted authorities. It also led to the seizure of $120,000 paid in Bitcoin earlier this year by another healthcare facility in Colorado.

“Not only did [the Kansas facility’s cooperation] allow us to recover their ransom payment as well as ransom paid by previously unknown victims, but we were able to identify a previously unidentified ransomware strain,” Deputy Attorney General Lisa Monaco said in a statement.

“The approach used in this case exemplifies how the Department of Justice is attacking malicious cyber activity from all angles to disrupt bad actors and prevent the next victim.”

According to reports, Monaco expanded on the investigation during a speech at the 2022 International Conference on Cyber Security at Fordham University in New York City.

In the case involving the Kansas healthcare facility, the hospital paid the $100,000 ransom but also contacted the FBI, which traced the payment through the blockchain and identified accounts used by money launderers in China who were working with the North Korean-backed ransomware group.

The authorities in April and May were able to recover both the ransom paid by the Kansas facilities as well as that paid by the Colorado medical providers and victims overseas, according to Monaco.

“What flowed from that virtuous decision [by the Kansas hospital] was: the recovery of their ransom payment; the recovery of ransoms paid by previously unknown victims; the identification of a previously unidentified ransomware strain; all from an investigation that allowed the FBI and its partners to release a cybersecurity advisory to empower network defenders everywhere,” she said.

The Maui ransomware was first detected in May 2021. Researchers linked the attackers to the North Korean government and determined that its targets were healthcare and related operations.

In a joint advisory issued earlier this month, the FBI, Treasury Department, and Cybersecurity and Infrastructure Security Agency (CISA) warned the healthcare sector about Maui, noting that the malware “uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt” targeted files.

The agencies were unable to determine the initial attack vector, or how the attackers first infected the systems. They also reiterated their message discouraging victims from paying ransoms, a notion that security vendors like bracket f agree with.

“The DoJ’s action on the North Korean actors behind the Maui-based attacks is yet another example of the extent that relevant and dangerous ransomware actors remain focused on our healthcare providers and hospitals,” bracket f CEO Tim Kosiba told The Register in an email. “We must continue to be vigilant in our defense and not pay these ransoms.”

Kosiba added: “It is time that we impose costs on these criminals that continue to threaten the healthcare service providers that do so much to keep our citizens safe and healthy. This activity will not stop until we do, while supporting the FBI and our law enforcement partners do what they can to recover ransoms that have been paid.”

Hospitals and other healthcare facilities are increasingly being targeted by ransomware groups – both state-sponsored and financially motivated – because of the large amounts of highly sensitive data they hold and their tendency to pay the ransomware to regain control of that data.

In a report in June, cybersecurity firm Sophos found that ransomware attacks last year on healthcare organizations almost doubled from 2020. About 66 percent of healthcare facilities surveyed by Sophos were hit with ransomware in 2021, up from 34 percent a year earlier.

The healthcare sector also saw the highest increase in volume of ransomware attacks (69 percent) and perceived complexity (67 percent), as well as the second-highest increase (59 percent) in the impact of the attacks.

The survey – in which 381 healthcare IT professionals were questioned – also put a spotlight on the complicated issue of paying the ransom. Healthcare organizations were most likely to pay, with 61 percent of those attacked doing so. The global average in 2021 was 46 percent. At the same time, the sector last year paid the least amount of ransom – $197,000 compared to the global average of $812,000.

That said, hospitals and other healthcare facilities recover only 65 percent of their data after paying the ransom (down from 69 percent in 2020) and only 2 percent of those paying get all of their data back (again, down from 8 percent the previous year).

Maui isn’t the only ransomware strain preying on the healthcare sector. US Health and Human Services issued a report [PDF] in April noting that the Hive ransomware group, which has been operational since at least June 2021, also aggressively attacks US healthcare facilities. The Hive gang runs double-extortion campaigns – stealing the data as well as encrypting it and threatening to publicly leak the data if the ransom isn’t paid – and operates via a ransomware-as-a-service model. ®