DOJ seized ransoms paid by health centers in Kansas, Colorado after 2021 attacks

Deputy Attorney General Lisa Monaco said the Justice Department seized and returned about $500,000 paid to a ransomware group connected to the North Korean government after two attacks on U.S. healthcare facilities last year.

Monaco, speaking Tuesday at the International Conference on Cyber Security at Fordham University, said the Maui ransomware deployed by North Korean hackers was used to attack a medical center in Kansas and a healthcare organization in Colorado. Government agencies in recent weeks issued warnings about Maui, which had not been widely tracked by cybersecurity experts.

The group encrypted the servers at the Kansas medical center and left a note demanding a ransom that they said would double in 48 hours, according to Monaco.

"In that moment, the hospital's leadership faced an impossible choice: give in to the ransom demand or cripple the ability of doctors and nurses to provide critical care. Left with no real choice, the hospital's leadership paid the ransom. But they also notified the FBI," Monaco told the conference audience.

She said the FBI and DOJ had never seen the Maui ransomware before that incident and managed to trace the ransom payment in a the same way the agencies did with the ransom paid by Colonial Pipeline last year.

The funds were traced to unnamed money laundering services based in China, and Monaco noted that organizations based in that country often help North Korean actors transfer stolen funds through hacks and ransomware into fiat currency.

"Additional blockchain analysis revealed that these same accounts contained other ransom payments. The FBI traced those to another medical provider in Colorado and potential overseas victims," Monaco said.

"All this digital sleuthing paid off several weeks ago. From the money laundering account, we seized approximatively half a million dollars in ransom payments and cryptocurrency used to launder those payments."

The funds seized included all of the money paid by the Kansas medical center and ransoms paid by other victims including the medical provider in Colorado.

Monaco cited the advisory released by the FBI, Treasury Department and the Cybersecurity and Infrastructure Security Agency (CISA) earlier this month about the Maui ransomware group, noting that much of that report came from the investigations that led to the seizures.

The report said the Maui ransomware caused “prolonged” outages and was used to encrypt servers responsible for electronic health records services, diagnostic services, imaging services, and intranet services.

Ransomware attacks on healthcare organizations have continued throughout 2021 and 2022, including recent attacks on a California nonprofit in March by the Hive ransomware group. 

FBI Director Christopher Wray said last month that an Iran-based group attacked the Boston Children’s Hospital with ransomware last June.