DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Justice Department Seizes and Forfeits Approximately $500,000 from North Korean “Maui” Ransomware Actors and their Conspirators

Posted on July 19, 2022 by Dissent

The Justice Department today announced a complaint filed in the District of Kansas to forfeit cryptocurrency paid as ransom to North Korean hackers or otherwise used to launder such ransom payments. In May 2022, the FBI filed a sealed seizure warrant for the funds worth approximately half a million dollars. The seized funds include ransoms paid by health care providers in Kansas and Colorado.

“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui,’” said Deputy Attorney General Lisa O. Monaco today at the International Conference on Cyber Security. “Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain. The approach used in this case exemplifies how the Department of Justice is attacking malicious cyber activity from all angles to disrupt bad actors and prevent the next victim.”

According to court documents, in May 2021, North Korean hackers used a ransomware strain called Maui to encrypt the files and servers of a medical center in the District of Kansas. After more than a week of being unable to access encrypted servers, the Kansas hospital paid approximately $100,000 in Bitcoin to regain the use of their computers and equipment. Because the Kansas medical center notified the FBI and cooperated with law enforcement, the FBI was able to identify the never-before-seen North Korean ransomware and trace the cryptocurrency to China-based money launderers.

Then, as a result, in April 2022, the FBI observed an approximately $120,000 Bitcoin payment into one of the seized cryptocurrency accounts identified thanks to the cooperation of the Kansas hospital. The FBI’s investigation confirmed that a medical provider in Colorado had just paid a ransom after being hacked by actors using the same Maui ransomware strain. In May 2022, the FBI seized the contents of two cryptocurrency accounts that had received funds from the Kansas and Colorado health care providers. The District of Kansas then began proceedings to forfeit the hackers’ funds and return the stolen money to the victims.

“Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “The reimbursement to these victims of the ransom shows why it pays to work with law enforcement.”

“These sophisticated criminals are constantly pushing boundaries to search for ways to extort money from victims by forcing them to pay ramsons in order to regain control of their computer and record systems,” said U.S. Attorney Duston J. Slinkard for the District of Kansas. “What these hackers don’t count on is the tenacity of the U.S. Justice Department in recovering and returning these funds to the rightful owners.”

“The FBI is dedicated to working with our federal and private sector partners to disrupt nation state actors who pose a critical cyber threat to the American people,” said FBI Cyber Division Assistant Director Bryan Vorndran. “Today’s success demonstrates the result of reporting to the FBI and our partners as early as possible when you are a victim of a cyber attack; this provides law enforcement with the ability to best assist the victim. We will continue to pursue these malicious cyber actors, such as these North Korean hackers, who threaten the American public regardless of where they may be and work to successfully retrieve ransom payments where possible.”

“Today’s announcement reiterates the FBI and Justice department’s continued commitment to working with our critical infrastructure and private sector partners to identify and dismantle cyber threats, including new and emerging ransomware variants,” said Special Agent in Charge Charles Dayoub of the FBI Kansas City Field Division. “Because of swift reporting by the victim medical center, action was taken to lessen the loss to the victim company, as well as identify the malware deployed, preventing additional cyber-attacks. The relationship between the FBI and our private sector partners are critical to discover, disrupt and dismantle cyber threats to our nation’s infrastructure.”

On July 6, 2022, based on information obtained during the Department’s investigation, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury issued a joint cybersecurity advisory regarding the North Korean threat to U.S. health care and public health sector organizations, which included indicators of compromise and mitigation advice.

Deputy Attorney General Lisa O. Monaco; Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division; U.S. Attorney Duston J. Slinkard for the District of Kansas; Special Agent in Charge Charles Dayoub of the FBI’s Kansas City Field Office; and Assistant Director Bryan Vorndran of the FBI’s Cyber Division made the announcement.

The FBI is investigating the case.

Source: Department of Justice

Category: Commentaries and AnalysesHealth DataMalwareOf NoteU.S.

Post navigation

← Desorden is back, declares an attack on MISTINE Better Way Thailand Company
Anonymous mental health app Feelyou accidentally exposed 70,000 personal emails →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.