Getty Images

DOJ Seizes $500K From Maui Ransomware Following Healthcare Cyberattacks

The DOJ announced that it seized $500K stemming from healthcare cyberattacks committed by North Korean-backed Maui ransomware.

The US Department of Justice (DOJ) seized and forfeited approximately $500,000 from North Korean-backed Maui ransomware actors, who committed multiple healthcare cyberattacks, according to a DOJ press release.

In May 2022, the announcement explained, the Federal Bureau of Investigation (FBI) filed a seizure warrant for ransoms paid by two healthcare providers in Kansas and Colorado.  

“Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain,” Lisa O. Monaco, deputy attorney general, explained at the International Conference on Cyber Security, held at Fordham University.

“The approach used in this case exemplifies how the Department of Justice is attacking malicious cyber activity from all angles to disrupt bad actors and prevent the next victim.”

In early July, The Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of the Treasury released a joint advisory warning the healthcare sector of Maui ransomware.

“Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services,” the advisory stated.

“In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods. The initial access vector(s) for these incidents is unknown.”

The DOJ’s recent announcement shed additional light on the nature of Maui ransomware and some key events that led to the seizure and forfeiture of half a million dollars.

In May 2021, North Korean hackers used Maui ransomware to encrypt the files and servers of a medical center in the District of Kansas. The medical center paid $100,000 in Bitcoin to the hackers after being unable to access encrypted servers for more than a week. Due to the fact that the hospital notified the FBI immediately, the FBI was able to identify the ransomware and trace the cryptocurrency back to China-based money launderers.

In April 2022, the FBI observed a $120,000 Bitcoin payment into one of the seized cryptocurrency accounts thanks to the Kansas hospital’s collaboration. That payment was confirmed by the Colorado medical provider and led to the FBI being able to seize the contents of two cryptocurrency accounts that had received funds from the Colorado and Kansas providers.

““Today’s announcement reiterates the FBI and Justice department’s continued commitment to working with our critical infrastructure and private sector partners to identify and dismantle cyber threats, including new and emerging ransomware variants,” Charles Dayoub, special agent in charge of the FBI Kansas City Field Division, said in the announcement.

“Because of swift reporting by the victim medical center, action was taken to lessen the loss to the victim company, as well as identify the malware deployed, preventing additional cyber-attacks. The relationship between the FBI and our private sector partners are critical to discover, disrupt and dismantle cyber threats to our nation’s infrastructure.”

Next Steps

Dig Deeper on Cybersecurity strategies