Editor TLN
The US Department of Justice has seized half a million dollars worth of bitcoin from suspected North Korean hackers.
Hackers targeted healthcare providers with a new strain of ransomware – data hijacking software – and extorted various organizations.
The unusual and successful seizure comes as US authorities warn that North Korea is becoming a major ransomware threat.
At a conference Tuesday, Assistant Attorney General Lisa O. Monaco praised an unnamed Kansas hospital for giving the FBI early warning of the attack.
“Not only did this allow us to recover their ransom payment, as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified strain of ransomware,” he said.
According to court documents, hackers used the ransomware strain called Maui to encrypt the files and servers of a medical center in Kansas in May 2021.
Typically, ransomware hackers use malicious software to encrypt data or lock users out of the system until a ransom is paid.
The Kansas hospital spent a week without being able to access its computer systems. He then decided to pay approximately $100,000 in bitcoin to recover the use of his computers and equipment.
It is not illegal to pay ransoms to hackers, but it is discouraged by law enforcement organizations around the world.
The FBI said it was promptly notified of the payment by the medical center, which meant agents were able to identify unknown North Korea-linked ransomware and trace the cryptocurrency to a China-based money laundering group.
Agents also identified another $120,000 bitcoin payment made to one of the criminals’ cryptocurrency accounts.
It turned out to be from a medical provider in Colorado who had just paid a ransom after being hacked with the Maui ransomware.
The FBI reported that it returned the money to the two health care providers, but did not say where the rest of the seized funds came from.
It is not known how the FBI was able to seize the funds, but Tom Robinson, founder and chief scientist at Elliptic, which analyzes bitcoin payments, told the BBC it may have happened when hackers tried to change the cryptocurrency money into a traditional currency. .
“It is likely that investigators were able to trace the cryptocurrency to a currency exchange platform where the launderers would have sent the funds to collect. Currency exchange is a regulated business and they can confiscate their clients’ funds if forced by the authorities.” , said.
“Another possibility is that the cryptocurrency was seized directly from the launderers’ own wallet. This is more difficult to do, as it would require access to the wallet’s private key,” he added.
US authorities are increasingly using new tactics to recover extortion funds from cybercriminals operating in jurisdictions such as North Korea and Russia, where law enforcement agencies are uncooperative with Western requests for assistance.
“These seizures are still very rare and highlight the value of quickly reporting cyberextortion incidents and working with authorities,” said Jen Ellis of cybersecurity firm Rapid7.
“They will not be able to recover payment in all cases, but the more information they have about the tactics, techniques and procedures of attacking groups, the more likely they will be able to disrupt, deter and respond to attacks, which benefits everyone,” he said. .
Last June, the US recovered most of the $4.4 million ransom paid by Colonial Pipeline to a cybercriminal gang believed to be based in Russia.
In November 2021, the US also recovered $6 million from another ransomware gang called REvil with strong ties to Russia.
In addition to traditional elements of state espionage, North Korea has been accused for many years of running hacks aimed at making money for the secretive country.
North Korea’s hacking activity is often blamed on the so-called Lazarus Group, which has been accused of trying to get $1 billion out of a Bangladeshi bank in 2016.
In the past year, the group has been linked to lucrative attacks on cryptocurrency platforms, but last month, US cybersecurity authorities issued a warning about North Korean hackers launching ransomware attacks on North Korean hospitals.
Authorities provided no evidence that North Korea was behind the attacks, but the Cyber Security Council’s joint assessment of the Maui ransomware indicated that it had been “used by North Korean state-sponsored cyber actors since at least May 2021 to target healthcare organizations.”
Remember that you can receive notifications from BBC Mundo. Download the new version of our app and activate it so you don’t miss out on our best content.
