Peter A Clarke

Hackers posting data on line when the ransom demand for their return fails is nothing unusual.  And Medibank has refused to pay the ransom demanded of it.  That is consistent with Government advice.  Forbes reported that 92% of those who pay a ransom do not get their data back.  Last year Kaspersky reported that 56% of ransomware victims pay the ransom but only a quarter get their full data returned. Where does the truth lie.  Somewhere that is unlikely to be found. The figures are necessarily spongy given there is a marked reluctance by organisations and businesses to admit to paying ransoms. Surveys of consumers and companies are at best educated guesses.

With Medibank refusing to pay the ransom the Russian hackers have posted some of the data on line.  This is hardly unusual.  It is an evolving story but the Australian has a good summary with Medibank hacker starts posting stolen data.  It is a story that is getting wide coverage across Australia, with the Sydney Morning Herald, the Guardian, ABC and the Australian Financial Review, just to name a few outlets. It has also received wide overseas coverage such as by the BBC.

But this data breach and the unfolding torment is part of a worldwide phenomenon.  On 31 October Bleeping Computer reported that hackers were selling access to 576 corporate networks for $4 million. Other cyber attacks in the last week included Boeing Subsidiary Jeppesen’s Services Hit By Cyberattack, a cyber attack caused trains to stop in Denmark, a Ransomware attack on Osaka General’s network stalled critical surgeries & daily operations and  Europe’s Biggest Copper Producer Hit by Cyber-Attack to name but a few. These incidents highlight the chronic and worldwide nature of the problem.  In most of these cases hackers gained access because of poor data security practices. 

The hackers in the Medibank data breach are following the digital extortion business model where the hackers escalate the attack in order to force payment from victims. The Ransomware extortion model commonly begins as a classic ransomware attack, demanding payment for encrypted files while similtaneously the hackers exfiltrate data from the victim. If victims fail to pay within the allotted time, or opt to recover encrypted data through backups, criminals threaten to release confidential data publicly. Some attackers even auction confidential data to the highest bidder on the dark web..

The extortive blended attacks can circumvent backup strategies because they essentially extort the victim into payment even if backups are in place.
Ransomware is one of cybercrime’s strongest business models.  It is far more popular and effective than trojans, phishing, distributed denial-of-service (DDoS) and cryptojacking.
When a computer becomes infected with ransomware, the malware often generates network traffic by sending encrypted system information to a command-and-control server.. Normally, ransomware contains the public key needed for encryption and uses it locally without fetching from a remote server.

Typical actions taken by most ransomware variants include:

•  terminating a list of hardcoded processes and services that may interfere with file encryption such as databases, security
  applications and backup services. Some variants also search for and attempt to uninstall known antivirus programs or other
  security applications
• preventing and disable system restore features that may be enabled by the operating system.

Unlike other malware, most ransomware infections don’t require administrative privileges. The malware relies on the permission level the most basic users would operate on their assigned networked device. Ransomware attacks that worm through networks plant malicious code in corporate file share servers and use those folders to move to other user devices without additional effort.

The National Institute of Standards and Technology (NIST) recommends have a process in preparing for and dealing with a ransomware attack.  That is broken down into:

– Preparation
– Detection and analysis
– Containment, eradication and recovery
– Post-incident activities

Preparation

This includes:

• Holding continual user education about the risks of macros in email attachments
• Providing stricter notification about macros to help users self-identify risky behavior
• Ensuring group policies are current
• Blocking macros from running in Word, Excel and PowerPoint documents that come from the internet

Detection

How an organization first detects a ransomware infection can vary widely. In most cases an employee will find it impossible to access files, see a ransom note, or notice that a certain service is no longer accessible. The first goal is to contain the spread of the infection as soon as possible and isolate the infected systems to minimise the risk to the larger organization. This stops any ongoing encryption processes that may still be underway. Once users are identified, their devices and access should be disabled
to halt the encryption process in the shared location. Once users are identified, their devices and access should be disabled
to halt the encryption process in the shared location.

It is important to

1. Identifying the specific variant of ransomware in action
2. Determining how the malware entered the organization, also known as root cause analysis

The common entry points are:

• through the email
• browser exploitation
• other vulnerabilities

Hackers posting data on line when the ransom demand for their return fails is nothing unusual.  And Medibank has refused to pay the ransom demanded of it.  That is consistent with Government advice.  Forbes reported that 92% of those who pay a ransom do not get their data back.  Last year Kaspersky reported that 56% of ransomware victims pay the ransom but only a quarter get their full data returned. Where does the truth lie.  Somewhere that is unlikely to be found. The figures are necessarily spongy given there is a marked reluctance by organisations and businesses to admit to paying ransoms. Surveys of consumers and companies are at best educated guesses.

With Medibank refusing to pay the ransom the Russian hackers have posted some of the data on line.  This is hardly unusual.  It is an evolving story but the Australian has a good summary with Medibank hacker starts posting stolen data.  It is a story that is getting wide coverage across Australia, with the Sydney Morning Herald, the Guardian, ABC and the Australian Financial Review, just to name a few outlets. It has also received wide overseas coverage such as by the BBC.

But this data breach and the unfolding torment is part of a worldwide phenomenon.  On 31 October Bleeping Computer reported that hackers were selling access to 576 corporate networks for $4 million. Other cyber attacks in the last week included Boeing Subsidiary Jeppesen’s Services Hit By Cyberattack, a cyber attack caused trains to stop in Denmark, a Ransomware attack on Osaka General’s network stalled critical surgeries & daily operations and  Europe’s Biggest Copper Producer Hit by Cyber-Attack to name but a few. These incidents highlight the chronic and worldwide nature of the problem.  In most of these cases hackers gained access because of poor data security practices. 

The hackers in the Medibank data breach are following the digital extortion business model where the hackers escalate the attack in order to force payment from victims. The Ransomware extortion model commonly begins as a classic ransomware attack, demanding payment for encrypted files while similtaneously the hackers exfiltrate data from the victim. If victims fail to pay within the allotted time, or opt to recover encrypted data through backups, criminals threaten to release confidential data publicly. Some attackers even auction confidential data to the highest bidder on the dark web..

The extortive blended attacks can circumvent backup strategies because they essentially extort the victim into payment even if
backups are in place.
Ransomware is one of cybercrime’s strongest business models.  It is far more popular and effective than trojans, phishing, distributed denial-of-service (DDoS) and cryptojacking.
When a computer becomes infected with ransomware, the malware often generates network traffic by sending encrypted system information to a command-and-control server.. Normally, ransomware contains the public key needed for encryption and uses it locally without fetching from a remote server.

Typical actions taken by most ransomware variants include:

•  terminating a list of hardcoded processes and services that may interfere with file encryption such as databases, security applications and backup services. Some variants also search for and attempt to uninstall known antivirus programs or other
  security applications
• preventing and disable system restore features that may be enabled by the operating system.

Unlike other malware, most ransomware infections don’t require administrative privileges. The malware relies on the permission level the most basic users would operate on their assigned networked device. Ransomware attacks that worm through networks plant malicious code in corporate file share servers and use those folders to move to other user devices without additional effort.

The National Institute of Standards and Technology (NIST) recommends have a process in preparing for and dealing with a ransomware attack.  That is broken down into:

– Preparation
– Detection and analysis
– Containment, eradication and recovery
– Post-incident activities

Preparation

This includes:

• Holding continual user education about the risks of macros in email attachments
• Providing stricter notification about macros to help users self-identify risky behavior
• Ensuring group policies are current
• Blocking macros from running in Word, Excel and PowerPoint documents that come from the internet

Detection

How an organization first detects a ransomware infection can vary widely. In most cases an employee will find it impossible to access files, see a ransom note, or notice that a certain service is no longer accessible. The first goal is to contain the spread of the infection as soon as possible and isolate the infected systems to minimise the risk to the larger organization. This stops any ongoing encryption processes that may still be underway. Once users are identified, their devices and access should be disabled to halt the encryption process in the shared location. Once users are identified, their devices and access should be disabled to halt the encryption process in the shared location.

It is important to

1. Identifying the specific variant of ransomware in action
2. Determining how the malware entered the organization, also known as root cause analysis

The common entry points are:

• through the email
• browser exploitation
• other vulnerabilities

Containment, eradication and recovery

When a system is identified as potentially having ransomware, the computer should immediately be removed from the networks,  including wifi connections. It  should be shut down, or ideally hibernated to assist in forensic and sample analysis. 

The eradication phase involves removing the ransomware from infected systems across the whole organisation. This operation can be lengthy and may involve working on user devices and more pivotal machines and services. Any system that has been infected should be rebuilt from a trusted source. Rely on trusted templates and settings that are kept safely for cases like these.

If the malware initially arrived through an email message, the organization should search and purge all existing messages still pending within the mail store. Any  systems that received the email or opened the email should be isolated until the organisation  verify that the ransomware wasn’t executed on those systems.

If the  ransomware arrived through a web browser exploit, those websites should be blocked and monitored. Then it is necessary to decide whether to  update or remove any vulnerable browser components.
Passwords for all affected users should be changed as a precaution. This step should be taken carefully and strategically to avoid alerting the attackers. It’s likely attackers have a number of credential sets and may attempt to use them and pivot the attack if their initial access is suddenly revoked.

Recovery

After containing the ransomware and identifying the root cause of the infection, when beginning the recovery phase an organisation:

• .needs to complete the containment and identify the root cause of the infection
• if it discovers that the attack was a result of vulnerable systems it will need to patch them.  If they can’t be  patched, then they have to be  segregated compensating controls need to be put n place in order to minimize exposure risk.
• initially rely on their internal backup infrastructure to restore affected files if there is a backup process in place. This process should include an analysis of the frequency and completeness of the backups to ensure complete restoration of the data.
• need to verify the status of backups at the time of required recovery. If the attackers have been in the networks for months encrypting the backups the backup option is probably not  available. The backup option won’t be available if files have been silently encrypted and then backed up over time.
• who discover that attackers have remained silent in networks for long periods of time need to assume that they have planted persistence mechanisms in the backups. This enables them to return to threaten the organization if a ransom isn’t paid.
• should adopt the best practice for backups in using redundancy and keeping backups checked and segregated or offline.  In cases where malicious encryption impacts a network share, there’s still a chance that several of the most recent backups
  may contain partially encrypted files.

Fully restoring files from backups may not be possible. In these cases, organizations may look for ways to break the encryption
without paying the ransom, or perhaps locate decryption keys on infected systems. This is rarely successful.  Knowing the variant and version of the ransomware infection may help determine options. It can also aid the recovery phase and inform decisions about how to approach recovery and the consequences of each potential route.
Successful remediation requires not only adept security technical prowess but also an effective whole-of-business response that involves a unified response, not one done in silos. That requires advanced preparation which must include planning and testing that encompasses identified members from multiple functions across the organisation.

The Australian story provides:

The data, posted in an unencrypted file named ‘naughty-list’ on the dark web for anyone to download, includes details for around 100 patients including if they had been treated for drug use, alcohol abuse, anxiety, cannabis dependence or opioid addictions.

A so-called ‘good-list’ has also been posted, containing customer information including names and home addresses, birth dates and Medicare details.

The ransomware group has posted the details of hundreds of Australian customers so far after it gave Medibank 24 hours on Tuesday to pay a cyber ransom, which the company said it wouldn’t.

The hacker also leaked WhatsApp messages purportedly sent to Medibank chief executive David Koczkar attempting to negotiate a ransom payment.

“Hi! As your team is quite shy, we decided to make the first step in our negotiation,” the message to Mr Koczkar dated October 18 reads. “We’ve found people with very interesting diagnoses.”

The hacking group is expected to continue leaking more data after the initial dump on Wednesday.

“Looking back that data is stored not very understandable format (table dumps) we’ll take some time to sort it out,” they wrote in a post on the dark web at around 1am AEDT on Wednesday.

“We’ll continue posting data partially, need some time to do it pretty.”

Medibank confirmed it expected the criminal to continue releasing files on the dark web, and the data published so far appeared to be accurate.

“We unreservedly apologise to our customers,” Medibank chief executive David Koczkar said.

“This is a criminal act designed to harm our customers and cause distress.”

Prime Minister Anthony Albanese confirmed he is a Medibank private customer and can understand the concern of the millions of people affected by the cyber attack of the health insurer and personal information being published on the dark web.

“We’ve … made sure we’ve been clear about the risk that is there, this is really tough for people. I’m a Medibank private customer as well and it will be of concern that some of this information has been put out there,” he said.

“The company (Medibank) has followed the guidelines effectively … which is to not engage in ransom payments.

“We will be … responding extensively. We are concerned and we’ll continue to monitor what is occurring.”

Mr Albanese said “this has been a real wakeup call for corporate Australia”.

Home Affairs Minister Clare O’Neil said she “doesn’t have words to express the disgust” she feels in response to the stolen data being published online.

“The fact that personal health information is being held over their head is just disgusting to me,” she said on Wednesday. “It just shows us that these cyber criminals who we are joined in a fight against between the Five Eyes and other friends of partners around the world, they are just disgraceful human beings and we need to step up and do everything we can to fight back against them.”

Ms O’Neil said the incident was a wake up call for the nation, but she believed with the right changes Australia could become “the most cyber safe county in the world”.

She said it was important Australians understood the release of data was not happening because Medibank did not pay a ransom.

“That is crucial for people to realise,” she said. “What we see so often with these incidents is that companies in desperation, pay a ransom and then the data is used to revictimise and revictimise and revictimise. We cannot live in a world where people can do this sort of thing and benefit financially from it.’’

Ms O’Neil said she activated the national coordination mechanism within a short time of hearing about the breach last month, which was the first time such a measure had been used in response to a cyber attack.

“The former government created this as a crisis response mechanism during COVID and it was set up to deal with the most difficult intractable urgent problems that were being experienced at that time,” she said.

“It is an unbelievably effective way for us to elevate the urgency of a problem across all levels of government and community of business and to bring together people who need to work together to solve a problem who may not use to be working together.’’

Ms O’Neil said important health information of Australians would be released over coming days and weeks and urged for it not to be republished by media or on social media platforms.

On Tuesday the hackers shared a statement with a quote from Chinese philosopher Confucius and told people to sell their Medibank stocks along with an ultimatum for the insurance giant.

“A man who has committed a mistake and doesn’t correct it is committing another mistake. Confucius,” they wrote. “Data will be publish in 24 hours.”

Also on Tuesday Medibank chief executive David Koczkar said he was “devastated” for customers, saying they “deserve privacy”. But he said if Medibank caved to the demands of cyber criminals it would make Australia a softer target for repeat attacks.

“This is a significant decision for the business and we’ve had extensive expert advice and the reality of that advice is that there was a small chance that paying a ransom – you can call it extortion – that it was very unlikely they may return customer data,” Mr Koczkar told The Australian.

“In fact, you just can’t trust a criminal. It’s more likely that this will put more of our customers at risk through increased extortion and actually make Australia a bigger target. That’s consistent with the government policy on paying ransom, so that’s why we’ve made the decision we have to not pay a ransom.”

Mr Koczkar said investigations into the incident showed the criminal accessed the name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives.

The criminals also accessed health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers. This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered.

Some 5200 My Home Hospital patients also had some personal and health claims data accessed, and around 2900 next of kin of these patients have had some contact details accessed.

Primary identity documents, such as drivers’ licences, for Medibank and ahm resident customers were not accessed, but Medicare numbers (but not expiry dates) for ahm customers were caught up in the breach as were passport numbers (but not expiry dates) and visa details for international student customers.

As The Australian previously reported, the criminal behind the Medibank data hack bought login credentials to gain access to the network from an online Russian criminal forum and did extensive reconnaissance before collecting the data, which experts estimate would have lasted months.

Founder of the UK’s National Cyber Security Centre Ciaran Martin said there was a “serious safe haven problem” faced by countries like Australia and Britain in regards to Russia and a number of other nations allowing cyber gangs that targeted western nations to operate freely within them.

“I‘m afraid we have to face up to the reality that they (gangs) are pretty effective, well organised … and able to operate with impunity,” he said.

“This threat is here and it‘s harder to do something about it than it is for threat actors based in unfriendly countries with whom we don’t have law enforcement arrangements. So we have to treat data as the valuable commodity it is and protect it properly and harden our defences.”

Australian Strategic Policy Institute‘s international cyber policy centre director Fergus Hanson said what was unfolding was “ the best outcome we could have hoped for” and praised Medibank in not paying a ransom.

“Paying a ransom will just encourage further attacks,” he said.

“So it‘s a hard pill to swallow – having patient data released out there and people’s records – but it’s the best outcome for Australians in terms of preventing future attacks on healthcare sectors.”