Fraud Management & Cybercrime , Geo-Specific , Ransomware
Medibank Says No to Paying Hacker's Extortion DemandGroup Claiming Affiliation With REvil Threatens to Release Data
Australia's largest private health insurer says it will not pay an extortion demand from hackers threatening to release personal data of millions of current and former customers.
See Also: 2022 Unit 42 Ransomware Threat Report
Medibank released a statement explaining that it believes a payout could "encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm's way by making Australia a bigger target."
The chances of a payout resulting in the return of customer data - which Medibank says now encompasses 9.7 million individuals – are "limited," the company says.
A dark web ransomware leak site promised to begin leaking stolen data within 24 hours.
The total number of affected individuals breaks down to 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers who need private health insurance while residing or studying in Australia.
Contained within those totals are health claims data for 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers. That data includes codes associated with diagnoses and procedures.
Not included in the data set are payment card or banking card details or primary identity documents, Medibank says.
At least in name, the dark web leak site has ties to REvil - aka Sodinokibi - a notorious ransomware gang disrupted by Western law enforcement in July 2021 (see: Has REvil Disbanded? White House Says It Doesn't Know).
This past April, someone relaunched REvil's Tor sites. Anti-ransomware researchers at Malware Hunter Team report that multiple operations are now using leaked REvil code, making it difficult to attribute any attack that uses it.
The insurer has not disclosed the extortion demand amount, and CEO David Koczkar took to national television to call the dollar figure unimportant.
"The amount of money that was demanded is - actually, was - irrelevant to the decision. The decision was based on the expert cybercrime advice," he said.
Cheering on Medibank was Home Affairs Minister Clare O'Neil, who on Twitter called the decision "consistent with Australian government advice."
"I want Australia to be the most cyber-safe country in the world. The payment of ransoms directly undermines that goal."
An international anti-ransomware confab hosted at the U.S. White House ended last Tuesday with Australia pledging to lead a task force for swapping early warning signs of ransomware attacks.
Australia appears to be undergoing a wave of cyber incidents although evidence suggests the country is feeling the effects of a spate of opportunistic attacks rather than a coordinated attack.
The Australian Cyber Security Center in an annual government report released Friday said it saw a 13% increase in cybercrime reports during the second half of 2021 and the first half of 2022 compared to the same time period the year before. The total number was more than 76,000 reports of cybercrime.
With reporting by ISMG's Mathew Schwartz.