Ransomware group keeps its word, posts Medibank data on dark web

A ransomware group that on Tuesday threatened to post data stolen from medical insurer Medibank Group on the dark web has kept its word and released a small sample of what it claims is the data it appropriated.

The operator of this group, that hosts a copy of the site formerly used by the REvil gang, said the data was stored “in not very understandable format (tables dumps) we’ll take some time to sort it out and we posting (sic) a small part of the data, in ‘human readable format (sample in json file )’ also we post all raw data.

“We’ll continue posting data partially, need some time to do it pretty.”

REvil/Bloggxx has posted a link to what is claimed to be the initial instalment of the data stolen from #Medibank. pic.twitter.com/fs98N3KDuP

— Brett Callow (@BrettCallow) November 8, 2022

“We’ll continue posting data partially, including confluence, source codes, list of stuff and some files obtained from medi filesystem from different hosts.”

A single active link was provided to a small amount of data. A second link was also present, but was not active.

The name of the ransomware used is not definite but some refer to it as BlogXX. But it can attack only systems running Microsoft’s Windows operating system.

The data seemingly includes Good and Naughty lists (useful intel for Santa?)pic.twitter.com/p9I5JqJntf

— Brett Callow (@BrettCallow) November 8, 2022

Threat researcher Brett Callow, who works for the New Zealand-headquartered security firm Emsisoft, said in a tweet that the data had been posted, adding: “The data seemingly includes Good and Naughty lists (useful intel for Santa?).”

Medibank on Monday made a big deal about announcing that it would not pay a ransom to the attacker(s) who had hit its systems. The company announced to the ASX that the number of current and former customers affected by the attack could be as many as 9.7 million.

At about 11am AEDT on Tuesday, Medibank said it was aware of media reports of the threat made by the ransomware group. It claimed the group could also try to contact customers directly.

Chief executive David Koczkar said: “Customers should remain vigilant. We knew the publication of data online by the criminal could be a possibility, but the criminal’s threat is still a distressing development for our customers.

“We unreservedly apologise to our customers. We take seriously our responsibility to safeguard our customers and support them. The weaponisation of their private information is malicious, and it is an attack on the most vulnerable members of our community.”

REvil, also known as Sodinokibi, was a ransomware-as-a-service operation that was claimed to have been taken offline by intelligence agencies and law enforcement from the US and a number of its allies in October 2021.

GET READY FOR XCONF AUSTRALIA 2022

Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event

GET YOUR TICKET!