December 7, 2022
Fraud Management & Cybercrime , Ransomware A Ransomware Group Has Given Medibank 24 Hours to Pay. But Medibank Says it Won't. Jeremy Kirk (jeremy_kirk) • November 8, 2022     Photo: Medibank Who is attempting to extort Australian health insurer Medibank, why did Medibank tell its attackers it wouldn't pay a ransom and will this…

Fraud Management & Cybercrime , Ransomware

A Ransomware Group Has Given Medibank 24 Hours to Pay. But Medibank Says it Won’t. Jeremy Kirk (jeremy_kirk) • November 8, 2022     Photo: Medibank

Who is attempting to extort Australian health insurer Medibank, why did Medibank tell its attackers it wouldn’t pay a ransom and will this deter future cyber extortionists? Here are a few thoughts on the high cybercrime drama playing out.

See Also: OnDemand | API Protection – The Strategy of Protecting Your APIs

On Monday, Medibank publicly said it wouldn’t pay a ransom to attackers it says took sensitive data on 9.7 million current and former customers. Today, that gambit reaped a reaction: a 24-hour deadline to pay or see sensitive medical claims data released (see Medibank Says No to Paying Hacker’s Extortion Demand).

Medibank’s announcement was the equivalent of flipping the bird to their attackers and one that aligns with the Australian government’s position. Medibank CEO David Koczkar said the amount asked by the extortionists – which he did not reveal – was “irrelevant.” Even if Medibank paid, there’s no guarantee that the data will be deleted, he said. He’s right.

What’s remarkable and nearly unheard of is how open and transparent Medibank has been at every turn of this extremely sensitive situation. Publicly stating no ransom would be paid was a strikingly bold move. Rarely do companies say either way if they’ve paid.

The Extortionists: BlogXX

The extortion group issued their warning to Medibank in a blog post on a .onion site. Some cybercrime researchers have dubbed the group “BlogXX” since it doesn’t have a clear name.

BlogXX’s website has links to the infamous REvil ransomware gang, which attacked the software developer Kaseya in July 2021 and JBS Foods in May 2021. Both incidents had big knock-on effects within Australia.

The REvil gang is no more, and its decline reads like a cybercrime mafia novel: there’s extortion, there’s loads of cash, there’s betrayal, there are arrests in Russia and the downfall of the group around October 2021.

But suddenly in April, some of REvil’s old infrastructure that it used to leak data began redirecting to BlogXX’s .onion website, according to Bleeping Computer.

BlogXX is considered a ransomware group and not a pure extortion group, as at one time it was using a variant of REvil’s file-encrypting malware. Medibank said not long after it first publicly announced the incident that it had stopped the “precursors” to a ransomware attack.

BlogXX warned in its latest post that Medibank’s “data will be publish in 24 hours” and “P.S. I recommend to sell medibank stocks.” It also linked to the YouTube video of recent satirical Medibank piece by Mark Humphries, an Australian comedian. There’s no data sample, but given the history behind the website, it’s probably a legitimate threat.

A ransomware group some cybercrime researchers call BlogXX is threatening to release sensitive data it stole from Australian health insurer Medibank.

Where does this go from here? The data will probably start to be dumped within a day or so unless Medibank reverses its position on paying a ransom, which is unlikely. Will not paying send a message to other extortion or ransomware gangs to not mess with Australia? They will no doubt take note.

But cybercriminals don’t observe normal deterrence. Attacks on IT systems have a low opportunity cost. And there are probably quite a few Australian companies that have paid ransoms over the years as well. How does this shake out? It’s going to take many more companies that just Medibank saying no to extortion. But it’s a great start.

Source