DOJ Recovers Cryptocurrency Used as Ransomware Payments
Commentary by Ilan T. Graff
The DOJ filed a forfeiture Complaint for $500,000 in ransom payments paid to North Korean state-sponsored groups that had hacked health-care providers' online servers in Kansas and Colorado in separate ransomware incidents.
In the Complaint, filed in the United States District Court for the District of Kansas, the DOJ alleged that the hackers used a never-before-seen ransomware strain to encrypt the files and servers of a medical center in Kansas. The hospital eventually paid approximately $100,000 in Bitcoin to regain the use of its computers. The DOJ noted that the FBI was able to trace the cryptocurrency to China-based money launderers after being notified of the breach by the hospital's administrators.
The DOJ also recovered laundered funds paid by a Colorado-based hospital in response to a similar ransomware attack, due to the FBI identifying Bitcoin deposits on accounts flagged during the recovery of the Kansas hospital payment. According to a DOJ release, "the FBI seized the contents of two cryptocurrency accounts that had received funds from the Kansas and Colorado health care providers," and "the District of Kansas then began proceedings to forfeit the hackers' funds and return the stolen money to the victims."
Commentary
Malicious cyber-actors in countries like North Korea remain elusive candidates for prosecution, but this action reflects the DOJ's continued use of civil forfeiture tools to take the profit out of cybercrime. As the enforcement release notes, the investigation of these ransomware incidents highlighted a concerted DPRK effort to target U.S. healthcare and public health sector organizations - underscoring the need for industry participants to adopt appropriate mitigation strategies.