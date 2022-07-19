TOPEKA, Kan. (WIBW) - Thanks to the quick action and reporting of a Kansas medical center, the Department of Justice and FBI were able to recover about $500,000 in funds paid as ransom to North Korea after medical servers in two states were hacked.

The U.S. Justice Department announced on Tuesday, July 19, that a complaint was filed in the District of Kansas to forfeit cryptocurrency paid by healthcare companies as ransom to North Korean hackers. In May 2022, it said the Federal Bureau of Investigation filed a sealed seizure warrant for the funds worth about half a million dollars.

The Justice Department noted that the seized funds include ransoms paid by health care providers in both Kansas and Colorado.

“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui,’” said Deputy Attorney General Lisa O. Monaco today at the International Conference on Cyber Security. “Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain. The approach used in this case exemplifies how the Department of Justice is attacking malicious cyber activity from all angles to disrupt bad actors and prevent the next victim.”

Court documents indicate that in May 2021, North Korean hackers used the Maui strain to encrypt files and servers of a medical center in the Sunflower State. For more than a week of being unable to access the servers, the hospital paid about $100,000 in Bitcoin to regain the use of its equipment. Because the medical center did notify and cooperate with the FBI, agents were able to identify the never-before-seen ransomware and trace the crypto back to China-based money launderers.

“Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “The reimbursement to these victims of the ransom shows why it pays to work with law enforcement.”

As a result of the cooperation, in April 2022, the DOJ said the FBI found saw about $120,000 in Bitcoin paid into one of the seized accounts identified thanks to the Kansas hospital. The investigation confirmed a medical provider in Colorado had just paid a ransom after it was attacked with the same ransomware.

In May 2022, documents show that the FBI seized the contents of two accounts that had received funds from the health care providers. The District of Kansas then proceeded to forfeit the hacker’s funds and return the stolen money to the victims.

“These sophisticated criminals are constantly pushing boundaries to search for ways to extort money from victims by forcing them to pay ramsons in order to regain control of their computer and record systems,” said U.S. Attorney Duston J. Slinkard for the District of Kansas. “What these hackers don’t count on is the tenacity of the U.S. Justice Department in recovering and returning these funds to the rightful owners.”

On July 6, 2022, the DOJ said that based on information gathered during its investigation, the FBI, the Cybersecurity and Infrastructure Security Agency and the Department of the Treasury issued a joint cybersecurity advisory about the North Korean threat to health care in the nation - which includes indicators of compromise and mitigation advice.

