A ransomware group that on Tuesday threatened to post data stolen from medical insurer Medibank Group on the dark web has kept its word and released a small sample of what it claims is the data it appropriated.
The operator of this group, that hosts a copy of the site formerly used by the REvil gang, said the data was stored “in not very understandable format (tables dumps) we’ll take some time to sort it out and we posting (sic) a small part of the data, in ‘human readable format (sample in json file )’ also we post all raw data.
“We’ll continue posting data partially, need some time to do it pretty.” The attacker also said the negotiation process was detailed within the leaked data.
— Brett Callow (@BrettCallow) November 8, 2022
“We’ll continue posting data partially, including confluence, source codes, list of stuff and some files obtained from medi filesystem from different hosts.”
A single active link was provided to a small amount of data. Threat researcher Brett Callow said: “In order to complicate any takedown efforts, REvil/Blogxx has mirrored the data, making it available via [a] second site.”
The name of the ransomware used is not definite but some refer to it as BlogXX. But it can attack only systems running Microsoft’s Windows operating system.
The data seemingly includes Good and Naughty lists (useful intel for Santa?)pic.twitter.com/p9I5JqJntf
— Brett Callow (@BrettCallow) November 8, 2022
Callow, who works for the New Zealand-headquartered security firm Emsisoft, said in a tweet that the data had been posted, adding: “The data seemingly includes Good and Naughty lists (useful intel for Santa?).”
Medibank on Monday made a big deal about announcing that it would not pay a ransom to the attacker(s) who had hit its systems. The company announced to the ASX that the number of current and former customers affected by the attack could be as many as 9.7 million.
At about 11am AEDT on Tuesday, Medibank said it was aware of media reports of the threat made by the ransomware group. It claimed the group could also try to contact customers directly.
Chief executive David Koczkar said: “Customers should remain vigilant. We knew the publication of data online by the criminal could be a possibility, but the criminal’s threat is still a distressing development for our customers.
“We unreservedly apologise to our customers. We take seriously our responsibility to safeguard our customers and support them. The weaponisation of their private information is malicious, and it is an attack on the most vulnerable members of our community.”
REvil, also known as Sodinokibi, was a ransomware-as-a-service operation that was claimed to have been taken offline by intelligence agencies and law enforcement from the US and a number of its allies in October 2021.
A statement from Medibank said it had become aware of the released data.
“This data includes personal data such as names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for ahm customers (not expiry dates), in some cases passport numbers for our international students (not expiry dates), and some health claims data,” it said.
“The files appear to be a sample of the data that we earlier determined was accessed by the criminal. We expect the criminal to continue to release files on the dark web.”
GET READY FOR XCONF AUSTRALIA 2022
Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.
In its fifth year, XConf is our annual technology event created by technologists for technologists.
Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.
Explore how at Thoughtworks, we are making tech better, together.
Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.
Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event
PROMOTE YOUR WEBINAR ON ITWIRE
It’s all about Webinars.
Marketing budgets are now focused on Webinars combined with Lead Generation.
If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.
The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.
Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.
We look forward to discussing your campaign goals with you. Please click the button below.