REvil begins posting stolen data, Medicare details, online early Wednesday
The hackers also appeared to have posted parts of the ransom negotiations between the group and Medibank representatives.
On Tuesday, the group’s original post and threat attributed a quote to the Chinese philosopher Confucius, although there is debate over the English translation.
“A man who has committed a mistake and does not correct it, commits another mistake.
“Data will be published in 24 hours. PS I recommend selling Medibank shares.”
The post then links to a parody video by ABC satirist Mark Humphries about Medibank’s apology after the hack.
Brett Callow, a threat analyst at cybersecurity firm Emsisoft, said the hackers would not release more data.
“It is now a game of wait and see. How much data did the hackers get, and how much of it will they release? And what will they do with data that they don’t release?” he said.
“At this point, the hackers don’t really want to release any data. The more they release, the more influence they lose.”
‘Troublesome development for our customers’
Medibank previously confirmed that almost 500,000 health claims were stolen by the hackers, along with personal information, when the unnamed group hacked into its system weeks ago.
The group appears to be REvil, a Russia-backed cybercrime gang that has re-emerged after it was claimed to have been taken down in January by the country’s government at the request of the United States.
REvil is a ransom-as-a-service operation. Its ransomware, which it makes available to “affiliates”, was among the most prolific in 2021.
It was attributed to the attack that halted operations at JBS Foods in 2021, where the ransomware crippled meat processing operations in Australia and the US, leaving around 7,000 workers in Australia without pay until the problem could be partially resolved.
On Tuesday, Medibank chief executive David Koczkar said the criminal threat was a “disturbing development for our customers” and Medibank knew publishing the stolen data was a possibility.
“We knew that the publication of data online by criminals could be a possibility, but the criminal threat remains a troubling development for our customers,” Koczkar said.
“Customers should be alert. We apologize unreservedly to our customers. We take our responsibility to protect and support our customers very seriously, he said on Tuesday morning.
“The weaponization of their private information is malicious and it is an attack on the most vulnerable members of our society.”
Mr Koczkar advised that all customers contacted by someone claiming to have their data should report it to the Australian Cyber Security Centre, ScamWatch, and if they believe they are in physical danger, call 000.
In line with the authorities’ advice
Home Affairs and Cybersecurity Minister Clare O’Neil said in a statement on Monday night that Medibank’s decision not to pay the ransom was in line with government advice.
On Tuesday, a spokesman for O’Neil said there would be no further comment at this time.
“Cybercriminals cheat, lie and steal,” she said in Monday’s statement. “Paying them only fuels the ransomware business model. They undertake to perform actions in return for payment, but often make victims of companies and individuals.
Australian Federal Police Commissioner Reece Kershaw told a parliamentary committee that investigators had sought assistance from the FBI for the Medibank attack, in addition to earlier assistance for the Optus breach.
“The AFP has invested significant resources in these investigations, which will be lengthy and complex,” Kershaw said.
“And apart from sending a warning to cybercriminals that the AFP will relentlessly pursue them, I also have a message for business: please notify the authorities immediately when a data breach is suspected.
“It’s like any crime scene. The longer it takes to inform the relevant authorities, the more difficult it is for perpetrators to be identified, disrupted or brought to justice.”