The operator of a ransomware blog, which hosts a copy of the site formerly used by the REvil gang, claims that data from Australia’s Medibank Group will be posted on the dark web in 24 hours.
Exactly when the post was made is unknown, but it comes soon after the company, on Monday, made a big deal about announcing that it would not pay a ransom to the attacker(s) who had hit its systems. It was later updated to include a screenshot of ABC satirist Mark Humphries who recently published a video about Medibank’s woes.
Australia’s #Medibank has been listed on the site that used to be operated by REvil. The relationship between the current operators of the site and REvil remains unclear. pic.twitter.com/rP1ZxDsBh2
— Brett Callow (@BrettCallow) November 7, 2022
The company announced to the ASX that the number of current and former customers affected by the attack could be as many as 9.7 million.
Chief executive David Koczkar said Medibank would not pay any ransom because there was little chance that it “would ensure the return of our customers’ data and prevent it from being published”.
|
|
Threat researcher Brett Callow said in a tweet: “Australia’s #Medibank has been listed on the site that used to be operated by REvil. The relationship between the current operators of the site and REvil remains unclear.”
REvil, also known as Sodinokibi, was a ransomware-as-a-service operation that was claimed to have been taken offline by intelligence agencies and law enforcement from the US and a number of its allies in October 2021.
Hmm. It seems @Cyberknow20 used the criminal’s meme before the criminals did. Very sus. https://t.co/LFDyOBe9TN
— Brett Callow (@BrettCallow) November 7, 2022
The Australian Government’s focus has been on the Medibank attack over the last couple of weeks, shifting from the telco Singtel Optus which has also suffered a catastrophic breach.
The operator of the ransomware blog, said in the post: “A man who has committed a mistake and doesn’t correct it is committing another mistake. -Confucius. Data will be publish (sic) in 24 hours P.S I recommend to sell medibank (sic) stocks.”
Callow, who works for the New Zealand-headquartered security firm Emsisoft, told iTWire there was no proof that the operator in question had any of the Medibank data.
The post has been updated to link to a video: namely @markhumphries‘ “premium apologies with optional extras” video. #Medibank 1/2 https://t.co/gfXTHM5AOt pic.twitter.com/mvWvVkURm9
— Brett Callow (@BrettCallow) November 7, 2022
“While it’s not clear who operates the BlogXX Tor site, it does seem they have a connection to REvil,” he said.
“Their ransomware is based on REvil’s and somebody set up a redirect from REvil’s old URL to the BlogXX site.
“It shouldn’t, however, be assumed that the operators of the BlogXX site were responsible for the attack on Medibank or that they necessarily even have any of the stolen data.
“They’ve provided no proof and it’s possible they’re simply seeking attention.”
In a statement issued about 11am on Tuesday, Medibank said it was aware of media reports of the threat made by the ransomware group.
It claimed the group could also try to contact customers directly.
Koczkar said: “Customers should remain vigilant. We knew the publication of data online by the criminal could be a possibility, but the criminal’s threat is still a distressing development for our customers.
“We unreservedly apologise to our customers. We take seriously our responsibility to safeguard our customers and support them. The weaponisation of their private information is malicious, and it is an attack on the most vulnerable members of our community.”
GET READY FOR XCONF AUSTRALIA 2022
Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.
In its fifth year, XConf is our annual technology event created by technologists for technologists.
Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.
Explore how at Thoughtworks, we are making tech better, together.
Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.
Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event
PROMOTE YOUR WEBINAR ON ITWIRE
It’s all about Webinars.
Marketing budgets are now focused on Webinars combined with Lead Generation.
If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.
The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.
Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.
We look forward to discussing your campaign goals with you. Please click the button below.
