Last month, the ransomware attack on Australian health insurance firm Medibank Private Limited had been attributed to a ransomware group that might be a relaunch of REvil and tracked as BlogXX. One of Australia’s biggest private health insurers, Medibank employs 4,000 people and provides coverage for more than 3.9 million individuals. While the ransomware organization responsible for the attack on Medibank has not yet been identified, the business has confirmed that the malicious behavior it has seen on its network is consistent with ransomware activity.
The ransomware group promised to release data purportedly taken from Medibank’s computers within 24 hours in a new entry uploaded to their data leak website today. The gang has not yet disclosed how much information it stole from Medibank’s network and has not given any evidence to back up its allegations. When approached to validate the claims of the ransomware group, a Medibank spokesperson was unavailable for comment. In October 2021, the original REvil ransomware gang was dismantled when its Tor servers were allegedly taken over by government authorities, followed by the arrest of several of the group’s members in Russia.
However, the project’s initial Tor domains started inexplicably rerouting users to new sites for what is known as the “BlogXX” operation in April 2022. These threat actors utilize the moniker Sodinokibi, previously used by the original REvil organization while speaking privately with victims. Security experts have also established that the new operation’s encryptor was built using the REvil encryptor’s source code.
Some think the new attack to be a relaunch of the REvil operation, either by the creators or additional members, due to the website redirection and code resemblances. MalwareHunterTeam, a security researcher, believes that this group is BlogXX, a recent operation connected to REvil. Medibank stated in a press release issued today that it rejected a ransom demand made by the attackers, even though the business has not yet confirmed which hacker organization is responsible for this assault.
“Today, we’ve announced that no ransom payment will be made to the criminal responsible for this data theft,” Medibank said. “Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.”
The health insurer also said that rewarding the attackers would probably encourage them to target clients with compromised data. A ransom payment will also inspire other people to attack Australian companies, increasing the danger to more people.
“There is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” the company added. “This decision is consistent with the position of the Australian Government.”
At first, the insurance said there was no proof that any client information had been accessed or taken. Later, the business admitted that the hackers had accessed some of its customers’ data. The company announced the attackers had access to private data belonging to millions of clients before the ransomware gang started distributing the supposedly stolen data to support their claims and tried to pressure Medibank into making a settlement. The following is an exhaustive list of the data Medibank thinks was compromised:
- Name, birthdate, address, phone number, and email addresses of around 9.7 million current and past customers, as well as authorized representatives
- Medicare numbers (but no expiry dates) for customers of ahm health insurance (ahm)
- Passport numbers (without expiry dates) and visa information for clients who are overseas students
- Information on health claims for about 480,000 Medibank, ahm, and overseas clients
- Information about healthcare providers, including names, phone numbers, and addresses
Additionally, Medibank said it believes the cybercriminals responsible for the October attack did not obtain access to financial data (such as credit card and banking information), primary identification documents (such as driver’s licenses), or health claims information for additional services (such as dental, physio, optical and psychology).
“Given the nature of this crime, unfortunately we now believe that all of the customer data accessed could have been taken by the criminal,” Medibank added. “Customers should remain vigilant as the criminal may publish customer data online or attempt to contact customers directly.”