US confiscates cash taken from alleged North Korean hackers
Bitcoin worth $500,000 (£417,000) has been confiscated by the US Department of Justice from alleged North Korean hackers.
With a new strain of ransomware, the hackers targeted healthcare providers and demanded money from multiple organisations.
According to US authorities, two hospital groups have already received their ransom payments back.
The improbable seizure occurred as US authorities issue a warning that North Korea is evolving into a significant ransomware threat.
Deputy Attorney General Lisa O. Monaco lauded an unnamed Kansas hospital for informing the FBI promptly about the ransomware threat during a conference on Tuesday.
We were able to identify a previously undisclosed ransomware strain, she added, in addition to recovering their ransom payment and another ransom paid by previously unnamed victims.
Hospital was on Target of Hackers
Court records claim that in May 2021, hackers at a medical facility in Kansas encrypted its servers and files using the ransomware variant known as Maui.
To encrypt data or lock users out of the system until a ransom is paid, ransomware criminals typically utilise malicious software.
The Kansas hospital chose to pay over $100,000 in Bitcoin to regain access to its computers and other equipment after being unable to access its IT systems for a week.
Although paying ransoms demanded by hackers is not prohibited, law enforcement agencies all over the world oppose it.
The FBI claims that the medical centre quickly notified them of the payment, which allowed agents to recognise the hitherto unknown ransomware related to North Korea and track the cryptocurrency to money launderers in China.
Another $120,000 Bitcoin payment made to one of the fraudulent cryptocurrency accounts was also traced by agents. This turned out to be a Colorado medical facility that had just paid a ransom after also being compromised by the Maui ransomware hackers.
The FBI claims to have given the money back to the two healthcare organisations, but it has not disclosed where the remaining seized funds originated.
How the Seizure Occurred
Although Tom Robinson, founder and chief scientist of Elliptic, which analyses Bitcoin payments, said the seizure may have occurred as the hackers attempted to convert their Bitcoin to conventional currency, it is unknown how the FBI was able to seize the funds.
“The ability of the investigators to follow the bitcoin to an exchange platform suggests that the launderers transmitted the money there in order to cash it out. Because they are regulated enterprises, exchanges may take clients’ money if required to do so by law enforcement “explained he.
“Another possibility is that the launderers’ personal wallets actually contained the cryptocurrency that was seized. This is more difficult to accomplish since it needs access to the wallet’s private key, which is a passcode that enables access to and movement of cryptocurrency stored in a wallet.”
In countries like North Korea and Russia, where law enforcement agencies do not cooperate with Western requests for aid, US officials are increasingly employing novel ways to steal back extorted monies from cybercriminals operating there.
According to Jen Ellis of cyber-security company Rapid7, “These seizures are still relatively uncommon and underscore the value of promptly reporting cyber-extortion occurrences, and engaging with law authorities.”
The more knowledge they have about attacker groups’ strategies, techniques, and procedures, however, the more likely they are to be able to disrupt, deter, and respond to attacks, which benefits everyone. “They won’t be able to recuperate the cash in every case,” they say.
Ransomware from North Korea
Along with more conventional aspects of state espionage, North Korea has long been charged of leading hacks intended to generate revenue for the pariah nation.
The so-called Lazarus Group of hackers, who are accused of attempting to steal $1 billion from a Bangladeshi bank in 2016, are frequently blamed for North Korean hacking operations.
The organisation has been associated with profitable attacks on cryptocurrency exchanges over the past year, but US cyber authorities issued a warning last month about North Korean hackers carrying out ransomware operations against US hospitals.
The joint Cybersecurity Advisory assessment of the Maui ransomware indicated that it has been “used by North Korean state-sponsored cyber-actors since at least May 2021 to target healthcare organisations.” The authorities did not present any evidence that North Korea was responsible for the attacks.