Australian sanctions target Aleksandr Ermakov for allegedly stealing data on about 9.7 million Medibank customers and leaking it after a ransom dispute. Authorities link him to REvil and a ransomware affiliate ecosystem, with multiple handles and operatives tied to the activity. Hashtags: #Medibank #REvil #GustaveDore #JimJones #Shtazi #Rescator #Sugar
Keypoints
- 9.7 million Medibank records were stolen and highly sensitive health data was leaked after Medibank refused a $10 million ransom.
- Australia sanctioned Aleksandr Ermakov, marking a first targeted cybercrime sanction by the country.
- The U.S. Treasury ties Ermakov and Medibank attackers to the REvil ransomware-gang, a ransomware-as-a-service operation.
- Ermakov used multiple aliases (GustaveDore, JimJones, Blade Runner) and operated a ransomware affiliate program called Sugar.
- Connections to Shtazi and the Rescator identity are highlighted, with links to Lenin and related activities online.
- Operational infrastructure is evidenced by domain and contact data ([email protected]; millioner1.com; millioner.pw; shtazi.net; 79856696666).
- An arrest update from Russia (Feb 21) reports charges related to creating, using, and distributing malicious software.
MITRE Techniques
- [T1567.002] Exfiltration to Web Services – Data stolen from Medibank was leaked and posted on a blog associated with REvil affiliates, i.e. “the posting of Medibank’s data on that blog.”
- [T1486] Data Encrypted for Impact – Ransomware-as-a-Service model and the REvil group deployed ransomware; “REvil ransomware has been deployed on approximately 175,000 computers worldwide, with at least $200 million paid in ransom.”
- [T1036] Masquerading – The attacker used multiple aliases to operate (GustaveDore, JimJones, Blade Runner), masking identity and activities.
- [T1583.003] Acquire Infrastructure – Domains and online infrastructure linked to the operation (millioner1.com, millioner.pw, shtazi.net) were used to support activities.
- [T1566] Phishing – Web-based phishing sites created for online stores to drive traffic and fraud (phishing sites for stores).
Indicators of Compromise
- [Email] [email protected] – used to register infrastructure and communications related to the operation.
- [Domain] millioner1.com – registered as part of Ermakov’s operations; linked to the case.
- [Domain] millioner.pw – registered and used in connection with domain registrations tied to the actor.
- [Domain] shtazi.net – linked to the Shtazi-related activity and infrastructure.
- [Phone] 79856696666 – used to register multiple domains (millioner.pw and shtazi.net) and tie to actor contacts.
Read more: https://krebsonsecurity.com/2024/01/who-is-alleged-medibank-hacker-aleksandr-ermakov/