Cybersecurity

US recovers more than half a million dollars in ransom payments to North Korea

Deputy Attorney General Lisa Monaco speaks during the Chiefs of Police Executive Forum, at the United States Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) headquarters in Washington, May 6, 2022.

The Department of Justice (DOJ) and the FBI disrupted ransomware operations of a North Korean state-sponsored group that targeted U.S. medical facilities, recovering roughly a half-million dollars in ransom payments made to the country, Deputy Attorney General Lisa Monaco announced on Tuesday.

Speaking at the International Conference on Cyber Security, Monaco said the seizure of the ransom payments — which she said were laundered through cryptocurrency — is the latest example of the DOJ’s approach to prioritizing the prevention of cyber attacks.

“This approach has yielded real results,” she said. “In the last year, those results — reflected in actions and disruptions — many of which began with critical reporting from and cooperation with companies who have been victims of cyberattacks.”

Monaco said a medical center in Kansas, which she did not name, was targeted by the ransomware from the North Korean state-sponsored group, which encrypted the hospital’s servers that store data and operate equipment.

“Left with no real choice, the hospital’s leadership paid the ransom,” Monaco said. “But they also notified the FBI, which was the right thing to do for themselves and for future victims.”


She said the ransomware was a “never-before-seen” variant, which the DOJ now refers to as “Maui,” and that investigators tracked the payments to China-based money launderers, whose accounts she said also contained other ransom payments from a medical provider in Colorado and other victims.

Investigators recovered the entirety of the ransom paid by the Kansas hospital and what they believe to be the ransom paid by the Colorado provider and other victims. Monaco said the funds will be returned to the facilities.

“In sum, a medical center in Kansas did the right thing at a moment of crisis and called the FBI,” Monaco said. 

“What flowed from that virtuous decision was: the recovery of their ransom payment; the recovery of ransoms paid by previously unknown victims; the identification of a previously unidentified ransomware strain; all from an investigation that allowed the FBI and its partners to release a cybersecurity advisory to empower network defenders everywhere,” she added.