Medibank Update 10.11.22: Cybercriminals, who hacked into the systems of Australia’s health insurer Medibank, have now uploaded abortion details of patients on the dark web. Security researcher Zane Daniels confirmed the same revealing that other details such as names, residential addresses, email addresses, names of hospitals, etc were also posted after the company denied paying a ransom.
As per reports, the hackers had demanded $10 million in ransom which came to nearly $1 for every individual. Medibank requested individuals to not look up the data posted by hackers. Moreover, the company stated that the disclosed data did not contain the names of the patients but of the policyholders.
Soon after Medibank released a statement stating that it would not pay a ransom after receiving threats from hackers, the unknown hacker group published portions of the stolen data on the dark web.
Earlier, when the group had threatened to publish the stolen data, Medibank CEO David Koczkar revealed that the company denied paying the ransom as doing so might have the opposite effect and encourage the cyber criminals.
“Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published… For these reasons, we have decided we will not pay a ransom for this event,” Koczkar said in a statement on the company’s ASX on November 7.
In an ASX release dated November 9, the company revealed that the attackers have begun posting the personal health information of its customers. The data included names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for ahm customers, passport numbers for their international students, and health claim data.
As per the report, the cyber criminals posted messages at midnight after Koczkar’s statement. “Looking back, that data is stored not very understandable format (table dumps) we’ll take some time to sort it out. We’ll continue posting data partially, need some time to do it pretty,” read the text. Screenshots of communications between the hacker and Medibank were also shared. It had two pictures, the one labelled ‘Extortion Gang’ asking, “Do you pay?” and the other labelled ‘Medibank’ replying, “I do not.”
The @medibank attackers have written a short post saying the "data will be publish in 24 hours" and "P.S. I recommend to sell medibank stocks." They've also linked to the YouTube video of @markhumphries recent satirical Medibank piece. #auspol #infosec HT @AlvieriD + @ecrime_ch pic.twitter.com/abFBlYloHl
A screenshot of the communication the ransomware group posted revealed that the hackers claimed to have access to the keys to decrypt credit cards. However, the company’s public announcement claimed that bank and credit card details of the customers were not accessed during the data breach.
#REvil released details about the messages they exchanged with @medibank. In their public notification, #Medibank stated that they believed credit card information was not accessed, but, according to #REvil, keys for decrypting credit card data are among the data stolen… pic.twitter.com/SX8fGEp0R2
— BetterCyber (@_bettercyber_) November 8, 2022
To help impacted users, the company posted steps and support information on its website, which included details of the cybercrime, and what users can do in various scenarios.
The Medibank ransomware attack
On October 20th, Medibank announced the theft of user data from its systems. The data breach impacted 9.7 million customers and contained nearly 200GB of stolen data that the cybercriminals demanded a ransom against. In a post published on Medibank’s newsroom, the Australian health insurance company confirmed that it was aware of threats made by the cybercriminals of publishing the stolen customer information.
Federal Minister Clare O’Neil addresses the concerns in a statement
On November 9, the Federal Minister for Cyber Security Clare O’Neil said, “At this moment the number of citizens whose medical information may have been compromised is small at this stage. But I want the Australian people to understand that that is likely to change,” adding that this may last for weeks or months. Calling the cybercriminals ‘scumbags’ O’Neil also stated that the Prime Minister is also a customer of Medibank and has been impacted like the others.
O’Neil added that the government and systems are working together to avoid such incidents in the future with protective security around government data and the state police helping the affected individuals. She also urged social media companies and media to not publish the leaked health information. O’Neil also admitted to being five years behind the cybersecurity standards required today and stated that the government was working towards bridging the gap.
Speculations about the ransomware gang
Researchers are speculating the possibility of Russian REvil gang behind the Medibank ransomware attack. This is because of the similarity they found in the encryptors used in the ransomware that matches the source code of REvil.