The U.S. Department of Justice has announced the seizure of approximately $500,000 in Bitcoin, paid by American health care providers to the operators of the Maui ransomware strain.
At the start of this month, Maui was highlighted by the FBI and CISA as a new North Korean-backed ransomware operation extorting western organizations with encryption attacks.
The particular ransomware operation demonstrated an inclination towards healthcare and public health organizations in its targeting, causing life-threatening service outages.
As explained in the DoJ announcement, the discovery of the new strain resulted from a security incident report from a Kansas hospital to the FBI.
“Thanks to rapid reporting and cooperation from a victim, the FBI, and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui’,” explained Lisa O. Monaco, Deputy Attorney General.
“Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain.”
The Kansas hospital had paid approximately $100,000 to the Maui ransomware gang in May 2021 to restore its IT network following a data-encrypting cyberattack.
Thanks to their quick reporting of the incident to the FBI, law enforcement tracked another payment of $120,000 from a medical provider in Colorado shortly afterward.
These two payments and an undisclosed number of payments amounting to $280,000 were eventually seized in May 2022, so the total retrieval was roughly half a million USD.
This case illustrates the importance of reporting ransomware incidents to the law enforcement authorities as quickly as possible, while indicators of compromise are fresh and payments can more easily be traced.
Additionally, following the money laundering process after the ransom payment can help law enforcement agents identify the threat actors, charge, and sometimes arrest them.
Law enforcement has successfully recovered ransom payments numerous times over the past few years, with the most notable cases being:
While the recovered amount isn’t as significant this time, it shows how quick reporting of security incidents allows law enforcement to more easily follow the money trail to recover ransom payments and identify threat actors and their tactics.