Medibank is one of the larger Australian health insurance providers and was recently subject to one hacker group's amateur attempt to run their own ransom/extortion campaign.
For RAAS to work effectively it requires at least one of two essential components, Trust and Leverage.
RAAS is a trust based ecosystem and only works when hackers keep their word, similar to mutually assured destruction theory in that if one country uses a nuke then we all die, no one wins, ergo, Victims need to be convinced that paying will secure their data and return them to normal operations.
Those that pay get their data back, those that don't get their secrets published. simple.
Leverage is a means to encourage payment, normally through locking the victim out of their data through encryption to cripple the business and leave limited options.
In the case of Medibank, both of these components were absent.
The hackers responsible managed to successfully access Medibank's system and steal around 200GB of data. It would be at this point that a competent hacker would deploy the ransomware to encrypt the victims system. It appears to be the case that either they forgot (really?) or lost their access and didn't create any persistence on the system to cover these eventualities. This meant that any leverage was now reduced.
Data value is subjective. Outside of Medibank, the data that has been exposed already has a limited value relative to what can be done with it.
Initially attempting to extort USD10 Million which for a company of Medibank's size is not unreasonable. Medibank, however, officially declined to pay.
Why? The group failed to build trust from the beginning. During the negotiations, Australian media reported the hackers shopped Medibank around to a number of RAAS groups. Someone has then negotiated to utilise REvil, a group that was ostensibly “dismantled” by the FBI/FSB early this year and done nothing officially since and now REvil's “Happy Blog” TOR site has been magically resurrected on a new onion and Medibank's data posted in chunks, presumably in the vein hope that Medibank will change its mind. That is if they can maintain the site for any substantive time (its offline yet again as I sit here and wonder who is responsible and how can this amateur exhibition be taken seriously by the victim).
Why haven't they just posted the data and moved on, are they are attempting to sell data (at grossly subjective prices) they stated they were going to post anyway, its kind of absurd.
The result of all this is the Australian government seriously considering laws to ban any payment of ransoms and fines up to AUD50 Million to a company that fails to protect their customers data effectively making ransomware or data extortion redundant. Where a business could take out insurance and write off the expense as a cost of business before, this could now be unlawful. Other countries will be watching the outcome carefully.
So the question remains, has this amateur display changed the market in Australia and beyond?
For RAAS to work effectively it requires at least one of two essential components, Trust and Leverage.
RAAS is a trust based ecosystem and only works when hackers keep their word, similar to mutually assured destruction theory in that if one country uses a nuke then we all die, no one wins, ergo, Victims need to be convinced that paying will secure their data and return them to normal operations.
Those that pay get their data back, those that don't get their secrets published. simple.
Leverage is a means to encourage payment, normally through locking the victim out of their data through encryption to cripple the business and leave limited options.
In the case of Medibank, both of these components were absent.
The hackers responsible managed to successfully access Medibank's system and steal around 200GB of data. It would be at this point that a competent hacker would deploy the ransomware to encrypt the victims system. It appears to be the case that either they forgot (really?) or lost their access and didn't create any persistence on the system to cover these eventualities. This meant that any leverage was now reduced.
Data value is subjective. Outside of Medibank, the data that has been exposed already has a limited value relative to what can be done with it.
Initially attempting to extort USD10 Million which for a company of Medibank's size is not unreasonable. Medibank, however, officially declined to pay.
Why? The group failed to build trust from the beginning. During the negotiations, Australian media reported the hackers shopped Medibank around to a number of RAAS groups. Someone has then negotiated to utilise REvil, a group that was ostensibly “dismantled” by the FBI/FSB early this year and done nothing officially since and now REvil's “Happy Blog” TOR site has been magically resurrected on a new onion and Medibank's data posted in chunks, presumably in the vein hope that Medibank will change its mind. That is if they can maintain the site for any substantive time (its offline yet again as I sit here and wonder who is responsible and how can this amateur exhibition be taken seriously by the victim).
Why haven't they just posted the data and moved on, are they are attempting to sell data (at grossly subjective prices) they stated they were going to post anyway, its kind of absurd.
The result of all this is the Australian government seriously considering laws to ban any payment of ransoms and fines up to AUD50 Million to a company that fails to protect their customers data effectively making ransomware or data extortion redundant. Where a business could take out insurance and write off the expense as a cost of business before, this could now be unlawful. Other countries will be watching the outcome carefully.
So the question remains, has this amateur display changed the market in Australia and beyond?
