Justice Recovered $500K for Victims, Traced Ransomware Payments to China

The Justice Department will return an estimated half a million dollars it seized from money launderers based in China to victims of ransomware attacks attributed to North Korea, officials announced Tuesday while imploring victims to report their ransom payments to federal authorities.

“Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business,” Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division, said in a press release. “The reimbursement to these victims of the ransom shows why it pays to work with law enforcement.”

In a keynote address to the International Conference on Cyber Security at Fordham University Tuesday, Deputy Attorney General Lisa Monaco trumpeted the latest in a series of wins for the department. It is part of a new strategy that prioritizes incentivizing incident reports from victims, which she said can create a virtuous cycle of prevention, versus issuing indictments that tend to fizzle out, given the global nature of the ransomware enterprise.

“Today, I’m pleased to announce that this approach has produced real results again—thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as “Maui.”

Federal officials made the attribution on July 6, citing a profit motive and perpetrators that were willing to subject their targets—healthcare providers in life-or-death circumstances—to desperation. Tuesday’s announcement provided further details.

“Left with no real choice, the hospital’s leadership paid the ransom. But they also notified the FBI, which was the right thing to do for themselves and for future victims,” Monaco said. “The FBI and Justice Department prosecutors immediately got to work … Following the crypto-breadcrumbs, the FBI identified China-based money launderers—the type who regularly assist North Koreans in “cashing out” ransom payments into fiat currency. Additional blockchain analysis revealed that these same accounts contained other ransom payments.”

Monaco said the strategy is a more proactive approach that emerged in response to “A Comprehensive Review” she requested last April. 

The strategy is two pronged. Officials hope to give victims weighing the decision more reasons for choosing to report any ransomware payments, some of which may violate U.S. sanctions if recipients are associated with nation states like North Korea, Iran or Russia. But, for federal contractors, they will also be enforcing the department’s Civil Cyber-Fraud Initiative with penalties for failing to follow required cybersecurity standards.

“This initiative’s work recently resulted in a defense contractor agreeing to pay $9 million to resolve allegations that it misrepresented its compliance with cybersecurity requirements in NASA and Department of Defense contracts—this is the second such settlement under this initiative,” Monaco said. “Holding contractors accountable for their cybersecurity promises will enhance resiliency against cyber intrusions across the government, the public sector and key industries.”