Who Is Extorting Australian Health Insurer Medibank?A Ransomware Group Has Given Medibank 24 Hours to Pay. But Medibank Says It Won't.
Who is attempting to extort Australian health insurer Medibank? Why did Medibank tell its attackers it wouldn't pay a ransom? Will this deter future cyber extortionists? Here are a few thoughts on the high cybercrime drama playing out.
See Also: 2023 Threat Horizons Report
On Monday, Medibank publicly said it wouldn't pay a ransom to attackers who it says took sensitive data on 9.7 million current and former customers. Today, that gambit reaped a reaction: a 24-hour deadline to pay or see sensitive medical claims data released (see: Medibank Says No to Paying Hacker's Extortion Demand).
Medibank's announcement was the equivalent of flipping the bird to its attackers, and it aligns with the Australian government's position. Medibank CEO David Koczkar said the amount asked by the extortionists - which he did not reveal - was "irrelevant." Even if Medibank paid, there's no guarantee that the data will be deleted, he said. He's right.
What's remarkable and nearly unheard of is how open and transparent Medibank has been at every turn of this extremely sensitive situation. Publicly stating no ransom would be paid was a strikingly bold move. Rarely do companies say either way if they've paid.
The Extortionists: BlogXX
The extortion group issued its warning to Medibank in a blog post on a
.onion site. Some cybercrime researchers have dubbed the group "BlogXX" since it doesn't have a clear name.
BlogXX's website contains links to the infamous REvil ransomware gang, which attacked the software developer Kaseya in July 2021 and JBS Foods in May 2021. Both incidents had big knock-on effects within Australia.
The REvil gang is no more, and its decline reads like a cybercrime Mafia novel: There's extortion, loads of cash, betrayal, arrests in Russia and the downfall of the group around October 2021.
But suddenly in April, some of REvil's old infrastructure that it used to leak data began redirecting to BlogXX's
.onion website, according to Bleeping Computer.
BlogXX is considered a ransomware group and not a pure extortion group, as at one time it used a variant of REvil's file-encrypting malware. Medibank said not long after it first publicly announced the incident that it had stopped the "precursors" to a ransomware attack.
BlogXX warned in its latest post that Medibank's "data will be publish in 24 hours" and "P.S. I recommend to sell medibank stocks." It also linked to the YouTube video of a recent satirical Medibank piece by Mark Humphries, an Australian comedian. There's no data sample, but given the history behind the website, it's probably a legitimate threat.
Where does this go from here? The data will probably start to be dumped within a day or so unless Medibank reverses its position on paying a ransom, which is unlikely. Will not paying send a message to other extortion or ransomware gangs to not mess with Australia? They will no doubt take note.
But cybercriminals don't observe normal deterrence. Attacks on IT systems have a low opportunity cost. And there are probably quite a few Australian companies that have paid ransoms over the years. How does this shake out? It's going to take many more companies than just Medibank saying no to extortion. But it's a great start.