A ransomware gang that some believe is a relaunch of REvil and others track as BlogXX has claimed responsibility for last month’s ransomware attack against Australian health insurance provider Medibank Private Limited.
Medibank is one of Australia’s largest private health insurers, covering over 3.9 million people and having 4,000 employees.
While until now, the attack on Medibank hasn’t yet been attributed to a specific ransomware group, the company did confirm that the malicious activity observed on its network matches ransomware activity.
The ransomware gang threatened today in a new entry added to its data leak website that it would leak data allegedly stolen from Medibank’s systems within 24 hours.
The gang is yet to reveal how much data it exfiltrated out of Medibank’s network and hasn’t shared any proof to verify these claims.
A Medibank spokesperson was not available for comment when contacted by BleepingComputer earlier today to confirm the ransomware gang’s claims.
An REvil relaunch?
The original REvil ransomware gang shut down in October 2021 after its Tor servers were hijacked, reportedly by law enforcement, followed by Russia arresting some of the gang’s members.
However, in April 2022, the operation’s original Tor websites mysteriously began redirecting visitors to new websites for what is called the ‘BlogXX’ operation. In private negotiations with victims, these threat actors call themselves Sodinokibi, a name previously used by the original REvil operation.
Furthermore, security researchers have confirmed that the new operation’s encryptor was based on the source code of REvil’s encryptor.
Due to the website redirects and code similarities, the new operation is considered by some to be a relaunch of the REvil operation, either by the developers or other members.
However, security researcher MalwareHunterTeam believes this group is BlogXX, an entirely new operation.
Medibank refuses to pay the ransom
Although Medibank is yet to confirm what hacking group is behind this attack, the company said in a press release published today that it refused a ransom demand made by the attackers.
“Today, we’ve announced that no ransom payment will be made to the criminal responsible for this data theft,” Medibank said.
“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.”
The health insurer added that paying the attackers would also likely motivate them to go after customers affected by the data breach.
Furthermore, a ransom payment will encourage others to attack Australian organizations, putting more people at risk.
“There is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” the company added. “This decision is consistent with the position of the Australian Government.”
Attackers accessed the data of millions of customers
Initially, the insurer said it had no evidence of any customer info being accessed or stolen. The company later revealed that the hackers accessed some of its customers’ data.
Today, before the ransomware gang starts leaking the allegedly stolen data to back their claims and attempt to force Medibank’s hand into negotiating a deal, the company revealed the attackers gained access to sensitive information belonging to millions of customers.
The complete rundown of data Medibank believes was exposed in the breach includes the following:
Name, date of birth, address, phone number, and email address for approximately 9.7 million current and former customers and authorized representatives
Medicare numbers (but not expiry dates) for ahm health insurance (ahm) customers
Passport numbers (but not expiry dates) and visa details for international student customers
Health claims data for roughly 480,000 Medibank, ahm, and international customers
Health provider details, including names, provider numbers, and addresses
Medibank added that it also believes the cybercriminals behind the October attack have not gained access to financial information (credit card and banking details), primary identity documents (e.g., driver’s licenses), or health claims data for extras services (like dental, physio, optical and psychology).
“Given the nature of this crime, unfortunately we now believe that all of the customer data accessed could have been taken by the criminal,” Medibank added.
“Customers should remain vigilant as the criminal may publish customer data online or attempt to contact customers directly.”