Australians are on high alert after a hacking syndicate threatened to release the personal data of nearly 10 million people following a major data breach at the country’s largest private insurer. Medibank.
The threat, including groups of cybersecurity specialists Malware Hunter Team, CyberThintand eLearning reposted on Twitter, allegedly posted on the dark ransomware website REvil – the group is also known as Ransomware Evil or BlogXX.
The hackers threatened to start leaking information within the next 24 hours while suggesting shareholders start selling shares of Medibank.
The BlogXX ransomware gang just listed Medibank on their leak site…
“PS, I recommend selling shares of medibank.”
– MalwareHunterTeam (@malwrhunterteam) November 7, 2022
In a media update On Tuesday, Medibank CEO David Koczkar said the news was “distressing”.
“Customers need to be vigilant. We knew that the criminal’s publication of data online could be a possibility, but the threat of the criminal is still a worrying development for our customers,” Koczkar said.
“We apologize unreservedly to our customers. We take our responsibility to protect and support our customers seriously. The weaponization of their private information is malicious and an attack on the most vulnerable members of our community.
The insurer also advised any customer, if they are contacted by an individual claiming to have their data or if they become the victim of a cybercrime, to report it to ReportCyber on the Australian Cyber website Security Center.
Medibank has warned customers that hackers need access to the names, dates of birth, addresses, health insurance numbers, phone numbers and email addresses of approximately 9.7 million current and former customers, including 5, 1 million Medibank customers, 2.8 million ahm health insurance customers and 1.8 million international customers.
In addition, the health claims data of 160,000 Medibank, 300,000 ahm and 20,000 international customers were also breached. Some clients received medical services such as diagnoses and procedures.
Meanwhile, credit card and bank details, as well as health claims data for dental, physiotherapy, optical and psychology, were not breached, the company said.
The Australian Labor Government has activated the country’s emergency mechanism, the National coordination mechanismto help deal with piracy.
Originally designed to deal with the pandemic, the mechanism allows the government to bring together agencies from the Australian government, states and territories and the private sector to help coordinate a response.
Minister backs decision not to pay ransom
Cybersecurity Minister Clare O’Neil backed Medibank’s decision not to pay the ransom, saying it will encourage further behavior.
In a thread On Twitter, O’Neil said Medibank’s actions were in line with advice from the Australian government.
“Cybercriminals cheat, lie and steal. Paying them only fuels the ransomware business model,” she said. “They commit to taking action in return for payment, but so often revictimize businesses and individuals.”
O’Neill said she wants Australia to be the “most cyber-safe country”, and paying a ransom would undermine that goal.
Two weeks ago, I activated the National Coordination Mechanism, ensuring focus and collaboration between all levels of government and the private sector in our nationwide response to the Medibank attack. This is a new model for handling cyber incidents in Australia.
— MP Clare O’Neil (@ClareONeilMP) November 7, 2022
Other suspicions of links with Russian trade unions
Cybersecurity analysts have noted several coincidences between the group’s actions and known Russian hacking syndicates.
Emsisoft threat analyst Brett Callow said a meme used in the initial ransom message was posted earlier by a group called @Cyberknow20 on Twitter.
Furthermore, the ransomware also had links to the BlogXX site, which is also connected to the notorious Russian syndicate REvil, which was allegedly dismantled earlier this year by the Russian Federal Security Service.
The group is believed to have reform around BlogXX ransomware.
—Brett Callow (@BrettCallow) April 20, 2022