“We are doing business,even if it is not legal,and we are worried about our reputation,” the person wrote,addressing questions from Medibank about how it could trust its data would be deleted after payment of a ransom.
The Prime Minister claims authorities know who and what country is behind the Medibank hack.
“Data saved in one place and after a successful deal will be wiped out ... we’ll send you a file deletion report,and we will bring you some security advice. We are interested in getting money,not destroying your company.”
These messages,posted online by the attackers along with samples of stolen patient data,have been all but confirmed as authentic by Medibank.
In them,the attackers outline potential services Medibank could use to facilitate payments,but also frequently threaten to publish sensitive data,wreak as much reputational damage as possible,and contact patients directly through stolen phone and email details.
“In the event of a negative outcome of the negotiations for us,we will do everything in power to inflict as much damage as possible for you,both financial and reputational,” the attackers warned.
In a taste of what has played out this week,the extortionists also detailed how they would drop the data to a public source that would make it easier for customers to “form a lawsuit” against the company and “we will regularly post data every day and support the news feed”.
They give Medibank ultimatums and deadlines on multiple occasions,the latest being November 7,which was when Medibank publicly announced it would not be paying a ransom. The first patient data was posted to the dark web on November 8.
It may seem bizarre for criminals to talk in the language of business ethics and reputation,but security researcher Troy Hunt was not surprised.
“Take away all the criminal stuff and the human pain and suffering they’ve inflicted;it’s just a business to these guys,” he said.
For the attackers who stole customer data from Medibank,causing as much damage as possible is good for business.Supplied
“Like anyone else who’s running a business,they’re looking at what is the best way to maximise their return? What is the highest and best use of the asset they have? And then what can they do to build their brand and their ability to have future business?”
In many ways,the world of ransomware on the dark web operates similarly to the world of legitimate software on the clear web.
Sites selling tools and data often look and function like legitimate sites. There are forums for people to discuss products,support systems and contact pages,even embedded chat engines that can walk victims through the process of making payments.
There are also much more troubling elements,like public displays of which companies are being ransomed and how long they have to pay,and dumps of people’s very private information. But even then,it’s often presented and handled in a way startlingly similar to consumer websites.
In the correspondence with Medibank,the attackers mention their “affiliate services” several times,which is a term you might recognise from legitimate e-commerce.
“It’s a little bit like affiliate programs with more mainstream businesses,where there might be an organisation that makes a product,but then they say ‘you can go out there and you can use our product,and sell it,and we’ll get a cut’,” Hunt said.
“Again it makes good business sense,in the same way it makes good business sense if you’re Amway. Affiliates go out and sell your Tupperware containers,or whatever else it may be.”
Criminals behind the Medibank data hack have today released more people's personal details.
The hackers even revealed the price of the affiliate’s cut,saying that Medibank would have to pay 20 per cent above the $US10 million ransom price if it chose to go through the hacker’s chosen affiliate.
Using an affiliate would provide safeguards,the hackers insisted,such as the fact that it would be “difficult” to access affiliate programs in the future if they did not do the right thing and destroy the data.
“The choice to work directly or through an affiliate program is on[sic] your own,” the hackers said.
Theoretically,a person carrying out an attack like this could be anyone who bought a sophisticated ransomware package. Weaponised kits are made as user-friendly as possible,and can look like the kind of thing you might see on Amazon. Some have user reviews or promise 24/7 support. Others,like the Russian Lockbit,operate flashy sites filled with proof of its software’s results.
Prices range from less than $100 to thousands,with options for flat fee leases or monthly payments,profit sharing or affiliate programs that come with a much lower regular fee and a cut of the ransom going to the operators.
On Friday the federal government said those responsible for the Medibank attack were a “group of loosely affiliated cyber criminals” residing in Russia,though it did not give any names. Multiple experts have suspected the involvement of the Russia-aligned ransomware gang REvil,which has previously acted as a supplier of malicious software to affiliates as well as carrying out attacks itself.
REvil attacked software company Kaseya and global in 2021,encrypting their data and the data of their customers,with global impact. In the Kaseya case,a all the businesses and public organisations shut down in the attack was later supplied,though it was unclear whether any ransom was paid.
REvil was apparently dissolved last year,and Russia claimed to have arrested many of its members in early 2022. But in recent weeks some of its old infrastructure began pointing to a dark web forum referred to as BlogXX,and it’s here that attackers have been posting data stolen from Medibank. In its correspondence,the attackers mentioned the REvil mechanisms as one of the affiliates it could use to facilitate a successful ransom payment.
Hunt said that the presence of REvil in some form didn’t necessarily mean the same individuals were responsible,as gangs and hackers routinely moved around or changed names.
“Looking at it through the business lens,they’ve had some employees,they come and go,they have disputes,they move to different places,” he said.
“That’s kind of the point;when you’re an underground cyber criminal you like to fly under the radar.”
McGrathNicol cybersecurity partner Shane Bell said that a decade ago ransomware was all about encrypting people’s data so they couldn’t access it,and demanding payment to unlock it again. But these days,it’s often straight theft and extortion.
“The threat actors have evolved their business model to be much more geared around monetising the theft of data than the availability,” he said.
“There’s absolutely zero verification provided back to you that they will do what they say they’ll do. You’re taking them at face value. So I think it very much starts to shift the equation in favour of not paying,rather than paying.”
But while prior ransom attacks have leveraged the fact that a business may not be able to operate until they pay,the more brutal data theft method threatens significant human harm and reputational damage. The first two dumps of Medibank data were handpicked to list identifying information of people who had the most sensitive and private medical procedures or treatments,as if to show Medibank why it should have paid.
Bell said the attackers likely had further plans for the data after it had caused some damage.
“In my experience in dealing with threat actors,they seem to work down a hierarchy of value for effort. It might be that the next part of the value equation is actually to sell the data rather than to try to extort people within the dataset,” he said.
“If it’s people’s full identities,attempting to impersonate those people and do things in their name … is a valuable thing for criminals.”
Get news and reviews on technology,gadgets and gaming in our Technology newsletter every Friday.