Ransomware Group ‘BlogXX’ to Post Medibank Data in 24 Hours

Photograph of Medibank Building

Nov. 9, 2022 update: Hackers have followed through on a threat to post millions of Medibank customers’ personal data on the dark web. Members of “BlogXX” have published what they deem “naughty” and “nice” lists, the former including patients seeking treatment for issues like addiction and eating disorders.

Though the “naughty” list reportedly had about a hundred names — some quite well-known in Australia — there was also information released on about five million Medibank customers, sources told ABC News Australia.

Cybercriminals have also posted what they claim are emails between their outfit and Medibank, negotiating the ransom payment in exchange for not releasing the data. Medibank had not yet responded to media inquiries at the time of writing.

Cybercriminals have threatened to start releasing the personal records of 9.7 million individuals within 24 hours ⁠— names, email addresses, health claims details, passport numbers, and more ⁠— following Australian insurer Medibank’s refusal to pay a ransom demand.

The criminal group behind the original Oct. 12 cyberattack on Medibank, “BlogXX,” is believed to be a re-formation of the notorious Russia-backed REvil ransomware that was forced offline by law enforcement in 2021.

Medibank Confirms Data Was Taken

The names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers, health claims, and health provider details belonging to around 9.7 million “current and former” Medibank customers and their authorized representatives were accessed by cybercriminals last month.

Around 5.1 million Medibank customers, 2.8 million “ahm” customers, 1.8 million international customers, and 5,200 My Home Hospital (MHH) patients in Southern Australia are affected.

Criminal outfit “BlogXX,” threat researchers at CyberKnow said today, are believed to be responsible. They may be a repackaged version of the REvil Ransomware-as-a-Service (Raas) gang, of whom some were arrested last year. Despite the arrests, REvil resurfaced in May.

In a series of tweets today, CyberKnow said BlogXX displayed snippets of the purported stolen Medibank data on the dark web. Negotiations between the insurer and the cybercriminals began on Nov. 7, ending with Medibank refusing to pay the ransom, researchers added.

BlogXX said they would be publishing the data in small pieces during the next 24 hours, including a strangely-worded citation from ancient philosopher Confucius in their post: “A man who has committed a mistake and doesn’t correct it is committing another mistake. -Confucius.” They also linked to a satire video about the breach by ABC comedian Mark Humphries.

“We’ll continue posting data partially, including confluence, source codes, list of stuff and some files obtained from media filesystem and different hosts,” the criminals continued, adding that Medibank should sell its stocks.

Medibank said it believes customer credit card and banking details were not accessed, but “all of the [other] customer data accessed could have been taken by the criminal.”

Customers should expect to be targeted with phishing campaigns in the following days, the insurer said today. The Australian Government, its Cyber Security Centre, and the Federal Police are currently trying to prevent the sale and sharing of customer data.

Stolen Password, Medibank’s Refusal to Pay Ransom

In an interview on Monday, Nov. 7, Medibank’s chief executive David Koczkar told the Australian Financial Review that a password stolen on Oct. 17 may have been the cause of the theft of the data.

“Mr Koczkar again apologised for the crime, not the company’s actions in failing to protect its customers’ data,” the publication added. Koczkar also said paying a ransom to return stolen data was unwise, which Australian Home Affairs and Cyber Security Minister Clare O’Neil said aligns with government advice.

“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” Koczkar said.

Medibank could be facing another problem, which is billions of dollars in a customer privacy lawsuit, principal at Centennial Lawyers Professor George Newman said. “Medibank has a duty to keep this kind of information confidential,” Bannister Law and Centennial Law said on Monday.

A Nightmare for Australian Cyber-Defenses in 2022

Australia has been ravaged by cyberattacks and data breaches this year. September through October saw two major breaches, those of Optus and Telstra, rattle the country, followed shortly thereafter by the initial Medibank data breach in mid-October. A week later, the nation’s Bureau of Statistics (ABS) reported it blocked nearly one billion cyberattacks on census day.

Healthcare institution breaches of these proportions can lead to mass-scale identity fraud, and Medibank customers have been directed to reach out to ReportCyber, ScamWatch, or call Medibank directly for further instructions.

While 2021 marked a record-breaking period in ransomware-related payments, organizations are now increasingly avoiding paying because of the uncertainty involved in recovering stolen data. Also, projects like No More Ransom — which provides ransom decryptors to the public for free — have helped keep nearly 1 billion Euros out of criminals’ pockets. In turn, these pushbacks have forced criminals to change their tactics to data destruction.

According to a new forecast from threat intelligence firm Mandiant, in 2023, we can expect fewer traditional ransomware deployments and payment demands, and more public shaming and exposure on leak sites instead. Experts also hope that the United States’ hardened cybercrime policies will also deter cybercriminals from classic approaches.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.