The U.S. Justice Department has notched up a small but potentially significant victory against ransomware after announcing the recovery of a $500,000 cryptocurrency payment extorted from two healthcare providers.
While the sum sounds modest, and recovering ransoms has become more common in the last year, it's clear from the announcement that the incident holds larger significance for the Department’s long-term anti-ransomware strategy.
The first of two victims was an unnamed hospital in Kansas, which paid a $100,000 bitcoin ransom to attackers in May 2021 to regain access to encrypted servers.
Importantly, the hospital reported the attack to the FBI, leading to a major discovery—the attack had been carried out by a previously unknown ransomware strain called Maui believed to be connected to North Korea.
Maui, not coincidentally, was the subject of a July 6 CISA and FBI warning that made explicit reference to the importance of reporting Maui and North Korean ransomware attacks to the FBI to avoid the possibility of violating sanctions against the country should a ransom be paid.
The warning was important news for the U.S. healthcare sector that Maui has so far made a specialty of attacking. When organizations make ransom payments, they are unlikely to know whether the attack originated from a sanctioned nation. Now, in relation to Maui at least, they can’t say they weren’t warned in the clearest terms.
After the FBI gained control over the cryptocurrency accounts used in the attack on Kansas hospital, in April 2022 one of the accounts received a payment of $120,000 from a second victim, a healthcare provider in Colorado.
Both payments will now be returned to the victims once legal proceedings have concluded. The value of the cryptocurrency has even increased, which will offer a small bonus to the victims.
The revelation of the attacks and subsequent ransom recovery goes some way to explaining why the July 6 FBI/CISA warning was given such prominence. Payments sent to North Korea aren’t just a matter of criminality, but are potentially channeled back into the country’s military program in a way that could have wider geopolitical implications for the U.S. and its allies.
The latest announcement underlines the importance of reporting attacks even if a payment has been made:
“Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “The reimbursement to these victims of the ransom shows why it pays to work with law enforcement.”
In fact, some uncertainties remain, starting with how much capacity the U.S. has to investigate ransomware attacks against healthcare providers, let alone the many victims in other sectors. Right now, such recoveries are probably best viewed as an optimistic proof-of-concept.
That’s because, despite some successes, seizures are still rare, which hints that recovery is not always straightforward even when investigated. An interesting exception from Europe was the recent recovery of $500,000 after a ransomware attack on the University of Maastricht in The Netherlands.
The other unknown is precisely how the FBI is gaining access to the wallets. They don’t specify, for obvious reasons, but it’s possible ransomware gangs might in time become more skilled at hiding their ransoms. This cat and mouse game is far from over.