The FBI has retrieved the $500,000 ransom paid by healthcare organizations to the Maui ransomware

The FBI has retrieved the $500,000 ransom paid by healthcare organizations to the Maui ransomware

The U.S. Department of Justice has announced the successful seizure of approximately $500,000 worth of Bitcoin, which had been paid by American healthcare providers to the operators of the Maui ransomware strain. The seizure follows the discovery of Maui by the FBI and CISA as a new North Korean-backed ransomware operation targeting western organizations with encryption attacks.

Maui had a particular focus on healthcare and public health organizations, causing life-threatening service outages. The discovery of this new strain came after a Kansas hospital reported a security incident to the FBI. The hospital had paid approximately $100,000 to the Maui ransomware gang in May 2021 to restore its IT network following a data-encrypting cyberattack. Following this payment, law enforcement tracked another payment of $120,000 from a medical provider in Colorado shortly afterward.

Thanks to the quick reporting of these incidents to law enforcement, the FBI and Justice Department prosecutors were able to identify and disrupt the activities of a North Korean state-sponsored group deploying ransomware known as “Maui.” As a result, the ransom payments made by the Kansas hospital and the medical provider in Colorado, along with an undisclosed number of payments amounting to $280,000, were eventually seized in May 2022, resulting in a total retrieval of roughly half a million USD.

Lisa O. Monaco, Deputy Attorney General, emphasized the importance of reporting ransomware incidents to law enforcement authorities as quickly as possible, while indicators of compromise are fresh and payments can be more easily traced. She added that following the money laundering process after a ransom payment can help law enforcement agents identify the threat actors, charge, and sometimes arrest them.

Although the recovered amount is not as significant as other recent cases, it demonstrates how quick reporting of security incidents allows law enforcement to more easily follow the money trail, recover ransom payments, and identify threat actors and their tactics. Similar successful recoveries include the seizure of ransom payments to a prominent NetWalker affiliate, the recovery of $4,400,000 paid by Colonial Pipeline to the DarkSide ransomware group, the seizure of $6,000,000 from a REvil partner who performed the Kaseya attack, and the seizure of $2,300,000 from a high-standing REvil and GandCrab affiliate.