The US Justice Department seized approximately half a million dollars that North Korean government-backed hackers had either extorted from US health care organizations or used to launder ransom payments, deputy Attorney General Lisa Monaco said Tuesday as she touted an aggressive US strategy to claw back money for victims of ransomware attacks.
The North Korean hackers hit a medical center in Kansas last year, encrypting computer systems the facility relied on to operate key equipment, and another medical provider in Colorado, Monaco said in a speech at Fordham University in New York. US authorities have started the process of returning the extorted funds to victims, Monaco said.
The series of ransomware attacks from North Korea – whose hackers generally either funnel money to the regime or enrich themselves – in some cases disrupted health services at the organizations for “prolonged periods,” US agencies said in a public advisory this month.
But Monaco lauded the unnamed Kansas organization for reporting the incident to the FBI and urged more US companies to do so to help the bureau disrupt a ransomware ecosystem that thrives on victims keeping quiet.
The report from the Kansas facility allowed the FBI to identify a new type of ransomware used by the North Koreans, Monaco said, and ultimately seize ransom payments along with cryptocurrency from China-based money-launderers working for the North Koreans.
The episode is indicative of the challenge facing US law enforcement in recovering the many millions of dollars that US businesses have typically paid ransomware groups in Russia, Eastern Europe and elsewhere in a given year.
US cybersecurity officials, for example, have long complained that they only are aware of a fraction of the ransomware extortions of businesses and local government. But under a law signed by President Joe Biden in March, certain critical infrastructure firms have 72 hours to report ransom payments to the government.
Justice Department officials are hoping that their appeal for voluntary cooperation from victims, along with the new legal requirements, will give them a more complete picture of ransomware groups who have disrupted US critical infrastructure in brazen attacks.
Justice officials in June 2021 seized roughly half of the estimated $4.4 million ransom payment that Colonial Pipeline, which provides roughly 45% of the fuel consumed on the East Coast, paid to Russian-speaking hackers. That ransomware attack shut down the pipeline for days and prompted long lines at gas stations in multiple states.
The seizures are enabled by investments that the FBI, Secret Service and Treasury Department make in tracking cryptocurrency payments to cybercriminal groups, including payments that might violate US sanctions. The FBI earlier formed a new team of cryptocurrency experts earlier this year that focuses on blockchain analysis and seizing digital money.
The roughly $500,000 seizure announced Tuesday, though, pales in comparison to the hundreds of millions of dollars that North Korean hackers have obtained in breaches of cryptocurrency exchanges in recent years. Those heists – and North Korean efforts to apply for jobs at US cryptocurrency firms to fund the regime’s nuclear weapons program – have prompted US officials to conduct a series of threat briefings for companies in recent months, a CNN investigation found.
The FBI has in recent weeks reached out to private-sector experts to better understand the new ransomware allegedly used by the North Koreans.
Allan Liska, senior intelligence analyst at cybersecurity firm Recorded Future, told CNN he met with FBI officials this week to exchange information on the North Korean ransomware.