The U.S. Department of Justice (DoJ) has recovered roughly a half million dollars in ransomware payments made to North Korean cyber criminals targeting healthcare organizations. This is yet another sign law enforcement agencies are at least becoming more effective at preventing cyber attackers from enjoying their ill-gotten gains.
The cybercriminals have been targeting healthcare organizations with a Maui strain of malware since at least May 2022. Maui malware installs an encryption binary called “maui.exe” that employs a combination of Advanced Encryption Standard (AES), RSA, and XOR algorithms to prevent access to specific files.
Maui first encrypts target files with AES 128-bit encryption, assigning each file a unique AES key. A custom header contained in each file that includes the file’s original path allows Maui to identify previously encrypted files. The header also contains encrypted copies of the AES key. It then encrypts each AES key with RSA encryption and loads the RSA public (maui.key) and private (maui.evd) keys in the same directory as itself. It then encodes the RSA public key (maui.key) using XOR encryption with an XOR key that’s generated from hard drive information.
Finally, Maui then creates a temporary file for each file it encrypts using GetTempFileNameW() and then uses this file as the encrypted output. Maui then creates maui.log, which contains output from Maui execution that can be exfiltrated.
There’s not much to be done once Maui malware starts encrypting files, but the Federal Bureau of Investigations (FBI) in the U.S. did work closely with one of the victims of a Maui infestation to recover payments. After notifying the FBI, a hospital in Kansas paid approximately $100,000 in Bitcoin to regain access to its files. The FBI then traced those payments to a money laundering operation in China where it found an approximately $120,000 Bitcoin payment made by the Kansas hospital in a cryptocurrency account. The FBI also discovered that a medical provider in Colorado had just paid a ransom after being hacked by actors using the same Maui ransomware strain. The FBI seized the contents of two cryptocurrency accounts with the aim of eventually returning those funds to the ransomware victims.
While the FBI is generally being applauded for its efforts, there are concerns about what might come next. It’s clear that law enforcement agencies are getting more adept at tracking illicit cryptocurrency transactions and recovering those funds even in countries where they have no official jurisdiction. Cybercriminals are inevitably going to look for other methods of payment collection that are not quite as easy to track or recover. Some cybercriminals are, for example, looking to shift from Bitcoin to alternative, privacy-based digital currencies such as Monero.
Regardless of the payment method, ransomware transactions will likely be pushed further underground to avoid detection. In effect, the whole payment process for better or worse is likely to become that much more complex. As a result, the amount of time required to acquire the keys to decrypt files is likely to be just that much longer, which will only increase the level of stress for all involved.
The best way to eliminate that stress is to always have a pristine copy of data available. In the absence of that critical capability, it will be up to each organization to determine ahead of time how best to go about mastering the nuances of all the various types of cryptocurrency that might soon be more widely employed.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.