The U.S. Department of Justice seized roughly $500,000 in ransom payments that a medical center in Kansas paid to North Korean hackers last year, along with cryptocurrency used to launder the payments, Deputy Attorney General Lisa Monaco said Tuesday.
The hospital quickly paid the attackers, but also notified the FBI, “which was the right thing to do for both themselves and for future victims,” Monaco said in a speech at the International Conference on Cyber Security at Fordham University in New York City.
The notification enabled the FBI to trace the payment through the blockchain, an immutable public record of cryptocurrency transactions.
“Following the crypto-breadcrumbs, the FBI identified China-based money launderers — the type who regularly assist the North Koreans in ‘cashing out’ ransom payments into fiat currency,” she said. The analysis of the accounts showed there had been additional ransoms paid by other U.S.-based victims, including a medical provider in Colorado.
The operation recovered the ransoms paid by both medical centers, and led to a joint notice on July 6 from the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Treasury Department outlining North Korean hacks on medical facilities as well as technical details about the never-before-seen ransomware variant.
The same day, the cybersecurity company Stairwell published an analysis of the malware, noting that its researchers had first seen the variant on April 3.
The seizure highlights the importance of organizations reporting ransomware incidents to authorities promptly, Monaco said. In this case, she said, it allowed for the recovery of the ransom payment, recovery of other ransom payments, the identification of a previously unknown ransomware variant, and the joint federal advisory aimed at sharing information and limiting the damage from future attacks.
“This approach attacks malicious cyber activity from all angles,” Monaco said.
Previous examples of the fruits of this kind of public/private collaboration are last year’s recovery of a large portion of the ransom paid by fuel distributor Colonial Pipeline, and the FBI getting and distributing a decryption key to victims of the Kaseya ransomware attack, Monaco said.
In that case, though, the FBI came under scrutiny after withholding the decryption key for a period of time, and more broadly, the FBI may be coming up short in helping ransomware victims restore their systems, a March investigation of the Senate Homeland Security and Governmental Affairs Committee found.