The “cruel” gang behind the Medibank hack issue a chilling message
Millions of Medibank customers’ private information was published on the deep web on Wednesday by hackers linked to one of the world’s most notorious criminal gangs.
And some experts say that if past form (and mythology) is any indication, this is unlikely to be where the Russian extortion racket, which trades on a reputation for cruelty to victims, intends to leave things.
The data release, revealed Wednesday by The New dailyand the failed public ransom negotiation was done under the name REvil.
But it is what they can do next that has caught the attention.
The name may suggest a James Bond nemesis, but the world’s most prolific organized hackers have been behind about half of all online ransom attacks and claim to have made $100 million or more from it.
A typically bruising approach to negotiations saw 7,000 workers at JBS meat plants in Australia and the US put off without pay last year after the business was crippled as part of the negotiations.
US officials estimate that $200 million worth of cryptocurrency payments followed the next hack, at Travelex. But that may have been REvil’s downfall.
Perhaps fittingly for a group that operates in the shadows, most things to do with REvil are contested, including by credible US experts who disagree on whether it was behind the Medibank hack.
Not long after the Travelex job, key figures linked to REvil were captured. They included its 22-year-old Ukrainian mastermind and several key people in Romania.
(As with many international scams, nationals of the former mathematics centers of the Soviet Union often appear as the masterminds behind organizations that everyone just calls Russian).
The group demanded another job on an even larger scale and demanded a $70 million ransom last July.
It was credited with putting the ransomware scourge on the international agenda in talks between Vladimir Putin and Joe Biden.
Perhaps not coincidentally, the site went dark not long after – and most curiously – the latest victim got their data back.
Since then, the group claims it has reorganized with a new website that has some technical similarities and a trademark rude tone.
“It could very well be REvil attacks, but we can’t be 100 percent sure as anyone can claim to be from any hacker group,” said Larry Cashdollar, a top US security researcher who has studied the group’s attacks. The New Daily.
Decentralization and specialization are part of what made the group so successful, including its permanent recruitment campaign advertised with $1 million in Bitcoin to motivate applicants.
But those responsible for any of the gang’s hacks could theoretically have been members of a rotating cast based anywhere.
With security experts warning Medibank customers to expect further data releases, the question of who was behind the hack becomes more important.
Automatic cruelty was part of the REvil business model and the reputation it depended on: Failure to pay or dropping out of negotiations saw ransoms doubled.
More recently, individuals were forced to pay if companies would not.
In a survey, IBM estimated that about a third of the gang’s victims used to pay; a third had personal information stolen and, in a more recent development, victims’ data was auctioned off – a process designed to pressure them into starting negotiations again.
Love of cruelty
On Wednesday, after Medibank revealed it had refused to pay a demanded ransom, REvil released screenshots of its approach to the insurer’s CEO, David Koczkar (including his mobile number).
Just like the robberies of old, the Medibank job was carried out by criminals who like to taunt their victims.
“Hi! Since your team is quite shy, we decided to take the first step in our negotiations, they said.
The group followed up with threats to publish customer data.
The big question now is whether stressing their displeasure at not receiving a ransom will cause further pain to Medibank customers, perhaps with releases spotlighting just a few.
In a cruel mockery of Medibank customers, the hackers released a list of just a few hundred names on Wednesday. It included a list labeled “naughty” which included people whose medical records showed they had been treated for drug addiction, including at high-end clinics such as the Sydney Clinic.
The criminals had previously said they would release data related to people who had “the most followers” or were high-profile, including “politicians, actors, bloggers, LGBT activists” and suggested they would explicitly prey on people with sensitive medical histories.
On Wednesday they apologized for the disorganized state of the data dump containing millions of Australians’ records.
The clear implication was that more would follow, with the hackers promising smaller and “pretty” data releases.
Precautions pay off
“It is likely that the data will be sold and leaked on the dark web as this drags on,” Cashdollar said.
“Victims should make arrangements to possibly freeze their credit and increase their own personal security.”
He suggested putting a password on mobile phones to prevent the operator from being changed remotely and to use two-factor authentication for accounts logged in online.
Troy Hunt, a regional director for Microsoft and international authority on data breaches, has seen enough hacks to put them in perspective.
Whether the Medibank hackers are who they say they are, he said, was irrelevant.
The outcome, he said, would be the same.
“These crews depend on following through on their threats to be taken seriously,” he said.
“People have done [these] sort of thing that for many, many years ran successfully. It’s a pretty well-known, proven business model and there are a lot of people in the game.”
Mr Hunt always advises caution (his world-leading cyber security breach registry haveibeenpwned.com shows his own password has fallen into the hands of bad actors 28 times) and keeping passwords up to date and managed by a secure program.
He believes many Medibank customers may begin to perceive vulnerabilities that were always there in a world where identity theft is a constant threat.
“There are people out there pulling data from all kinds of different places and then they try to trick you,” he said.
“It kind of doesn’t change that.
“On the other hand, the biggest problem we have now is a large number of people who are very interested in this event because it affects them personally.
“Inevitably we will see more phishing [scam sites tricking people to input their passwords]; we’re going to see ransom money escalate very, very quickly, and I’m sure it’s already happening.
“But hopefully these events bring all these things a little more to the forefront of everyone’s minds.”