The U.S. Department of Justice has seized approximately half a million USD worth of Bitcoin that was paid as ransom by several American companies to North Korean hackers. The update comes a year after two U.S-based healthcare providers and others forked out the ransom in exchange for decrypting their systems.
In May 2021, state-sponsored North Korean threat actors victimized separate healthcare facilities in Kansas and Colorado using the Maui ransomware strain. The hackers are believed to conduct attacks on foreign systems to extract vast sums as ransom on behalf of the heavily-sanctioned North Korean government.
After weeks of unsuccessfully trying to restore its files and systems, the Kansas-based healthcare provider paid $100,000 to the hackers and then disclosed it to the FBI. An investigation into the incident helped trace the cryptocurrency to China-based money launderers and helped investigators uncover a new ransomware strain, Deputy Attorney General Lisa Monaco said.
The DoJ particularly commended the unnamed Kansas hospital’s disclosure to law enforcement which helped trace the cryptocurrency. The FBI recommends not to pay a ransom, given it doesn’t guarantee the safe handover of systems or data. But if organizations decide to pay up, the federal agency urges victims to report it.
“In sum, a medical center in Kansas did the right thing at a moment of crisis and called the FBI,†Monaco said at the 2022 International Conference on Cyber Security. “What flowed from that virtuous decision was: the recovery of their ransom payment; the recovery of ransoms paid by previously unknown victims; the identification of a previously unidentified ransomware strain; all from an investigation that allowed the FBI and its partners to release a cybersecurity advisory to empower network defenders everywhere.â€
Presently, only a fraction of the total ransomware victims who pay a ransom report it to law enforcement. It is unclear how much the Colorado-based healthcare provider, also unnamed, paid to the North Korean hackers.
One of the U.S. government’s recent wins over ransomware actors was the recovery of nearly $2.3 million, over half of the amount paid by Colonial Pipeline to the DarkSide ransomware gang. The federal action took place after the ransomware group crippled the gasoline supply to the East coast for almost a week in May 2021.
See More: Five Cryptocurrency Crime Investigation Trends to Know in 2022Opens a new window
The attack against Colonial Pipeline and other critical infrastructure organizations in the U.S. blew open the discourse around the need for decisive action against ransomware operators. Soon after, Sen. Elizabeth Warren (D-MA) and Rep. Deborah Ross (D-NC) introduced the Ransomware Disclosure Act in October 2021 that mandated companies, local governments, and nonprofits to disclose any ransomware payments within 48 hours.
According to the Ransomware Disclosure Act, victims would need to disclose the date on which such ransom was demanded, the date on which such ransom was paid, the ransom amount demanded, how much they paid, the currency in which the ransom was paid (crypto included), and the identity of the attack provided the victim knows.
North Korean hackers have gained notoriety in recent years for targeting businesses, especially in the U.S. and South Korea, primarily to steal money to fund the Kim regime’s nuclear and ballistic missile programs. In the seven known attacks on cryptocurrency platforms by DPRK-sponsored threat actors in 2021, a total of $400 million worth of digital assets was stolen.
Source: ChainalysisOpens a new window
More recently, Lazarus Group, also associated with the North Korean state, stole $620 million from the Ronin Network. According to SymantecOpens a new window , Lazarus has also reinitiated Operation Dream Job and is engaging in a cyber espionage campaign targeting South Korean organizations in the chemical sector.
The U.S. government has sanctioned the Lazarus Group and multiple cryptocurrency exchanges that ransomware gangs and other threat actors use to launder the illicit proceeds.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!
MORE ON RANSOMWARE AND CRYPTOCURRENCY
- U.S. Sanctions Lazarus Group’s Wallets Following $620M Heist from Ronin Network
- U.S. Sanctions Russian Cryptocurrency Exchange Frequented by Cybercriminals
- Meet ALPHV Collections: BlackCat Ransomware Group’s Search Engine for Stolen Data
- Former Conti Members Are Now BlackBasta, BlackByte and Karakurt Members