The cooperation of a Kansas hospital with law enforcement after a cyberattack crippled their systems ultimately helped federal officials find and seize about $500,000 in ransoms paid by American health care providers to North Korean hackers.
The U.S. Justice Department announced Tuesday that a state-sponsored group in North Korea and money launderers in China were behind a series of hacks using a new “Maui” ransomware strain.
The unidentified Kansas hospital was hacked in May 2021, leaving health care workers unable perform X-rays and diagnostic imaging. They also lost access to a second server used for scanning data, their internet server and their sleep lab server due to the malware software.
The ransom note demanded two Bitcoins and warned the price would increase if not paid quickly. A ransom of 1.77 Bitcoins was ultimately paid, worth about $100,000 at the time, and the medical provider got the decryption keys after more than a week without access.
“Because the Kansas medical center notified the FBI and cooperated with law enforcement, the FBI was able to identify the never-before-seen North Korean ransomware and trace the cryptocurrency to China-based money launderers,” the Justice Department statement said.
The FBI was then able to observe another 2.54 Bitcoin payment, worth about $120,000, into a cryptocurrency account in April. Agents determined the funds came from a Colorado medical provider that had been hacked with the same ransomware strain.
In May, the FBI used warrants to seize two cryptocurrency accounts with funds from the Kansas and Colorado providers. The accounts with an unidentified virtual currency exchange had been accessed by a Hong Kong-based IP address.
On Monday, U.S. Attorney Duston J. Slinkard for the District of Kansas and his office filed a civil asset forfeiture case in federal court for the contents of the two accounts.
“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui,'” Deputy Attorney General Lisa O. Monaco said in a statement.
In statements, FBI officials emphasized the agency’s work with the private sector “to discover, disrupt and dismantle cyber threats.” When FBI Director Christopher Wray visiting Kansas in March, he visited the University of Kansas with Sen. Jerry Moran as part of cybersecurity efforts.
North Korea is not the only foreign country targeting Kansas companies with cyberattacks. In March, the FBI and federal prosecutors detailed evidence of a hack of Wolf Creek Nuclear Operating Corporation by a Russian spy agency’s military unit.
Jason Tidd is a statehouse reporter for the Topeka Capital-Journal. He can be reached by email at email@example.com. Follow him on Twitter @Jason_Tidd.
This article originally appeared on Topeka Capital-Journal: FBI finds Bitcoin ransom Kansas hospital paid North Korean hackers