Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as “Maui.” That ransomware targeted U.S. medical facilities and other public health sector organizations.

Last year, a medical center in Kansas experienced the dread that faces too many critical infrastructure operators. North Korean state-sponsored cyber actors encrypted the hospital’s servers – servers being used to store critical data and to operate key equipment. The attackers left behind a note demanding ransom, and they threatened to double it within 48 hours. In that moment, the hospital’s leadership faced an impossible choice – give in to the ransom demand or cripple the ability of doctors and nurses to provide critical care.

Left with no real choice, the hospital’s leadership paid the ransom. But they also notified the FBI, which was the right thing to do for themselves and for future victims.

The FBI and Justice Department prosecutors immediately got to work on what was then a never-before-seen ransomware variant. They traced the ransom payment through the blockchain – just as we did in the aftermath of the attack on the Colonial Pipeline. Following the crypto-breadcrumbs, the FBI identified China-based money launderers – the type who regularly assist North Koreans in “cashing out” ransom payments into fiat currency. Additional blockchain analysis revealed that these same accounts contained other ransom payments. The FBI traced those to another medical provider in Colorado and potential overseas victims.

Now, all this digital sleuthing paid off several weeks ago: from the money laundering accounts, we seized approximately half a million dollars in ransom payments and cryptocurrency used to launder those payments. This recovery includes all the ransom paid by the Kansas medical center, plus what we believe are ransoms paid by other victims, including that medical provider in Colorado. And as a result of all this work, the FBI, and their partners at CISA and Treasury, shared the fruits of their investigation in a joint Cybersecurity Advisory regarding the Maui threat.

And today, we have made public the seizure of those ransom payments, and we are returning the stolen funds to the victims.

In sum, a medical center in Kansas did the right thing at a moment of crisis and called the FBI. What flowed from that virtuous decision was: the recovery of their ransom payment; the recovery of ransoms paid by previously unknown victims; the identification of a previously unidentified ransomware strain; all from an investigation that allowed the FBI and its partners to release a cybersecurity advisory to empower network defenders everywhere.