FBI seized $500,000 worth of bitcoin obtained from Maui ransomware attacks

Pierluigi Paganini July 23, 2022

The U.S. DoJ seized $500,000 worth of Bitcoin from North Korea-linked threat actors who are behind the Maui ransomware.

The U.S. Department of Justice (DoJ) has seized $500,000 worth of Bitcoin from North Korean threat actors who used the Maui ransomware to target several organizations worldwide.

“The Justice Department today announced a complaint filed in the District of Kansas to forfeit cryptocurrency paid as ransom to North Korean hackers or otherwise used to launder such ransom payments. In May 2022, the FBI filed a sealed seizure warrant for the funds worth approximately half a million dollars.” reads the announcement published by DoJ. “The seized funds include ransoms paid by health care providers in Kansas and Colorado.”

In May 2021, threat actors infected the servers of the medical center in the District of Kansas. The Kansas hospital opted to pay approximately a $100,000 ransom in Bitcoin to receive a decryptor e recover the encrypted files. The Kansas medical center notified the FBI, which investigated the incident and was able to identify the previously unknown Maui ransomware and trace the payment to China-based money launderers.

In April 2022, the FBI observed an approximately $120,000 Bitcoin payment into one of the seized cryptocurrency accounts that were identified thanks to the cooperation of the Kansas hospital.

Feds confirmed that the funds were related to the payment of a medical provider in Colorado that was hit by the Maui ransomware. In May 2022, the FBI seized two cryptocurrency accounts that were used by the threat actors to receive the payments from the Kansas and Colorado health care providers. The District of Kansas then began proceedings to forfeit the hackers’ funds and return the stolen money to the victims.

“Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business”, said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “The reimbursement to these victims of the ransom shows why it pays to work with law enforcement.”

Earlier this month, the FBI, CISA, and the U.S. Treasury Department issued a joint advisory that warn of North Korea-linked threat actors using Maui ransomware in attacks aimed at organizations in the Healthcare sector.

“The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) are releasing this joint Cybersecurity Advisory (CSA) to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.” reads the advisory published by US authorties.

The attacks against Healthcare and Public Health (HPH) Sector organizations started in May 2021 and government experts observed multiple cases that involved the use of the Maui ransomware.

The report provides information about tactics, techniques, and procedures (TTPs) of the threat actors using the Maui ransomware along with indicators of compromise (IOCs) that were obtained by government experts during incident response activities and industry analysis of a Maui sample.

North Korean nation-state actors used Maui ransomware to encrypt servers providing healthcare services, including electronic health records services, diagnostics services, imaging services, and intranet services.

The report confirmed that In some cases, the attacks disrupted the services provided by the targeted HPH Sector organizations for prolonged periods.

The joint report refers to an industry analysis of a sample of Maui provided in Stairwell Threat Report: Maui Ransomware. According to the analysis, the malware appears to be human-operated ransomware.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Maui ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment