FBI Seizes $500,000 from North Korean Hackers

The US Department of Justice and the FBI announced it has seized about $500,000 in bitcoin, which was previously paid by US medical providers to North Korean hackers who ran the Maui ransomware.

It was then reported that Maui uses a combination of AES, RSA and XOR for the encryption process: files are encrypted with AES using a unique key, which is then encrypted with the RSA key pair generated when the malware is first run, and then the RSA public key is encrypted using another hardcoded RSA public key.

Experts assumed that the entire malicious campaign is based on the willingness of medical institutions to pay a ransom, as they need to quickly recover from an attack and ensure uninterrupted access to critical data and services, because people’s lives and health depend on them.

As the Ministry of Justice now explains, the discovery of this malware occurred after an incident in a Kansas hospital, when the victims hurried to report to the FBI. In May 2021, this healthcare facility paid ransomware about $100,000 to recover data after a ransomware attack.

Due to the quick reporting of the incident, law enforcements were able to trace another $120,000 payment from an unnamed health care provider in Colorado. As a result, these two payments, as well as an unknown number of payments in the amount of $280,000, were seized in May 2022, and the total amount of funds recovered was approximately half a million US dollars.

It is currently unknown how the seizure of funds was organized. Probably, law enforcement officers were able to trace the funds that the criminals were trying to launder, to a certain cryptocurrency exchange that offers services for cashing out and converting cryptocurrencies into fiat.