Australia sanctions REvil hacker behind Medibank data breach - Bleeping Computer

2024-01-23 08:10 (EST)

The Australian government has announced sanctions for Aleksandr Gennadievich Ermakov, a Russian national considered responsible for the 2022 Medibank hack and a member of the REvil ransomware group.

Medibank is a large health insurance provider in Australia that suffered a ransomware attack in October 2022, causing operational and business disruption.

Following an internal investigation, it was determined that hackers had accessed troves of customers personal data. In early November 2022, the attacker leaked stolen data for approximately 10 million people.

The leaked data included names, email addresses, phone numbers, physical addresses, passport numbers, health claims information, and health provider details.

Following a lengthy investigation, the Australian authorities identified Ermakov as the person responsible for the Medibank hack and data theft. Authorities also associated multiple online aliases with Ermakov and published photos of the individual.

According to the latest amendment of the Autonomous Sanctions document (version F2024L00099), Ermakov used multiple aliases, including GustaveDore, aiiis_ermak, blade_runner, and JimJone.

While not much is known about Ermakov, BleepingComputer found someone using the threat actors GustaveDore alias to post on the Russian-speaking XSS hacking forum and offering PHP development services.

GustaveDeore offering various services (source: BleepingComputer)

Responsible for the most damaging cyberattack in Australias history, as local media characterized it, was a ransomware gang called BlogXXX, which many believed to be a relaunch of the REvil operation that had shut down in October 2021.

In a press conference at Canberra, Australias Home Affairs and Cyber Security Minister confirmed that Ermakov was a member of the REvil ransomware operation and he was not among the individuals that Russia detained in early 2022 under suspicion of being members of the REvil group.

Although Ermakov may not care about the sanctions or find ways to evade them, his illegal activity is likely to feel the effect of these restrictions. The Head of the Australian Cyber Security Centre, Abigail Bradshaw, explains that "cyber criminals trade in anonymity."

By naming him, Ermakov can no longer operate unrestricted. His identity is now known not only to "every agency around the world but also anybody who is seeking to operate with him," Australias Deputity Prime Minister said at the conference.

As the sanctions in response to the Medibank Private cyber incident have a financial component, this means that whoever provides assets to Ermakov, including cryptocurrency or ransomware payments, would be committing an offense.

The Australian government believes that this is sufficient to deter others from associating with Ermakov for financial gains, be they legal or not.

Source

Previous
Previous

Barr: 2nd Annual MIT FRS Conference on Measuring Cyber Risk in the Financial Services Sector - Forex Factory

Next
Next

This NIST Trustworthy and Responsible AI Report Develops a Taxonomy of Concepts and Defines Terminology in the Field of Adversarial Machine Learning (AML) - Marktechpost