View All R&D Articles

FBI Charges North Korean for Ransomware Attacks on Hospitals, Offers $10 Million Reward

July 25, 2024

North Korean flag with a skull superimposedThe FBI has charged a North Korean man for allegedly contributing to a massive information exfiltration campaign against hospitals, U.S. military institutions, and scientific research organizations. 

Rim John Kyok is allegedly part of Andariel, a ransomware group that allegedly compromised a Kansas hospital’s IT systems in 2021. Kyok and his co-conspirators are accused of seizing the hospital’s electronic document management servers until the administrators paid a ransom via Bitcoin. 

Investigators also believe that Andariel is behind similar attacks in Arkansas, Colorado, Connecticut, and Florida. 

The State Department announced a $10 million reward for information leading to the arrest of Andariel members.

According to the State Department, the group’s primary motivation was not extortion; the group sought to exfiltrate sensitive data to North Korea’s Reconnaissance General Bureau (RGB). The RGB is the country’s chief military intelligence agency, comparable to the United States Central Intelligence Agency (CIA) in its mission (though not comparable to the CIA in terms of size or sophistication). 

As part of their investigation, the FBI recovered more than $600,000 in cryptocurrency; the Bureau says it will return the funds to the victims. 

Prosecutors believe that Rim and his accomplices have played critical roles in other major attacks:

  • In 2022, the group allegedly accessed systems owned by a Massachusetts-based defense contracting company, exfiltrating about 30 gigabytes of unclassified data.
  • Also in 2022, the group allegedly accessed a computer system owned by NASA, stealing about 17 gigabytes of unclassified data. 
  • The group is also accused of attacking government agencies in South Korea and Hong Kong. 

In each instance, the group has allegedly sought classified info and intellectual property — mostly unsuccessfully, according to prosecutors.

But the attacks show how cyberwarfare is playing an increasingly important role in international relations. More distressingly, it shows how ransomware groups may hide their goals by pairing exfiltration campaigns with “traditional” extortion; to victims, Andariel may appear identical to other Ransomware-as-a-Service (RaaS) groups. 

Related: Paying Ransom Doesn’t Restore Data for 25% of Ransomware Victims

Research shows that most hacking groups are located outside of the U.S.

By one estimate, 74% of all money made through ransomware attacks in 2021 went to hackers who had some link to Russia. North Korea’s influence on the ransomware sphere has also grown in recent years — and since the U.S. has strong regulations for sending payments to entities in both countries, paying for ransomware is usually illegal.

At Datarecovery.com, we’ve developed methods for addressing many ransomware infections remotely or onsite. We also provide solutions for monitoring the dark web for exfiltrated data, establishing disaster recovery strategies, and performing penetration (PEN) testing on key systems.

If you’ve encountered data loss due to malware, we recommend disconnecting the infected system and contacting a professional ransomware recovery provider as soon as possible. 

Call 1-800-237-4200 or submit a case online to get started.