The North Korean hackers hit a medical center in Kansas last year, encrypting computer systems the facility relied on to operate key equipment, and another medical provider in Colorado, Monaco said in a speech at Fordham University in New York. US authorities have started the process of returning the extorted funds to victims, Monaco said.
But Monaco lauded the unnamed Kansas organization for reporting the incident to the FBI and urged more US companies to do so to help the bureau disrupt a ransomware ecosystem that thrives on victims keeping quiet.
The report from the Kansas facility allowed the FBI to identify a new type of ransomware used by the North Koreans, Monaco said, and ultimately seize ransom payments along with cryptocurrency from China-based money-launderers working for the North Koreans.
The episode is indicative of the challenge facing US law enforcement in recovering the many millions of dollars that US businesses have typically paid ransomware groups in Russia, Eastern Europe and elsewhere in a given year.
US cybersecurity officials, for example, have long complained that they only are aware of a fraction of the ransomware extortions of businesses and local government. But under a law signed by President Joe Biden in March, certain critical infrastructure firms have 72 hours to report ransom payments to the government.
Justice Department officials are hoping that their appeal for voluntary cooperation from victims, along with the new legal requirements, will give them a more complete picture of ransomware groups who have disrupted US critical infrastructure in brazen attacks.
The seizures are enabled by investments that the FBI, Secret Service and Treasury Department make in tracking cryptocurrency payments to cybercriminal groups, including payments that might violate US sanctions. The FBI earlier formed a new team of cryptocurrency experts earlier this year that focuses on blockchain analysis and seizing digital money.
The FBI has in recent weeks reached out to private-sector experts to better understand the new ransomware allegedly used by the North Koreans.
Allan Liska, senior intelligence analyst at cybersecurity firm Recorded Future, told CNN he met with FBI officials this week to exchange information on the North Korean ransomware.
