Threat Research

Who is Alleged Medibank Hacker Aleksandr Ermakov? – Krebs on Security

Securonix

Australian sanctions target Aleksandr Ermakov for allegedly stealing data on about 9.7 million Medibank customers and leaking it after a ransom dispute. Authorities link him to REvil and a ransomware affiliate ecosystem, with multiple handles and operatives tied to the activity. Hashtags: #Medibank #REvil #GustaveDore #JimJones #Shtazi #Rescator #Sugar

Keypoints

  • 9.7 million Medibank records were stolen and highly sensitive health data was leaked after Medibank refused a $10 million ransom.
  • Australia sanctioned Aleksandr Ermakov, marking a first targeted cybercrime sanction by the country.
  • The U.S. Treasury ties Ermakov and Medibank attackers to the REvil ransomware-gang, a ransomware-as-a-service operation.
  • Ermakov used multiple aliases (GustaveDore, JimJones, Blade Runner) and operated a ransomware affiliate program called Sugar.
  • Connections to Shtazi and the Rescator identity are highlighted, with links to Lenin and related activities online.
  • Operational infrastructure is evidenced by domain and contact data ([email protected]; millioner1.com; millioner.pw; shtazi.net; 79856696666).
  • An arrest update from Russia (Feb 21) reports charges related to creating, using, and distributing malicious software.

MITRE Techniques

  • [T1567.002] Exfiltration to Web Services – Data stolen from Medibank was leaked and posted on a blog associated with REvil affiliates, i.e. “the posting of Medibank’s data on that blog.”
  • [T1486] Data Encrypted for Impact – Ransomware-as-a-Service model and the REvil group deployed ransomware; “REvil ransomware has been deployed on approximately 175,000 computers worldwide, with at least $200 million paid in ransom.”
  • [T1036] Masquerading – The attacker used multiple aliases to operate (GustaveDore, JimJones, Blade Runner), masking identity and activities.
  • [T1583.003] Acquire Infrastructure – Domains and online infrastructure linked to the operation (millioner1.com, millioner.pw, shtazi.net) were used to support activities.
  • [T1566] Phishing – Web-based phishing sites created for online stores to drive traffic and fraud (phishing sites for stores).

Indicators of Compromise

  • [Email] [email protected] – used to register infrastructure and communications related to the operation.
  • [Domain] millioner1.com – registered as part of Ermakov’s operations; linked to the case.
  • [Domain] millioner.pw – registered and used in connection with domain registrations tied to the actor.
  • [Domain] shtazi.net – linked to the Shtazi-related activity and infrastructure.
  • [Phone] 79856696666 – used to register multiple domains (millioner.pw and shtazi.net) and tie to actor contacts.

Read more: https://krebsonsecurity.com/2024/01/who-is-alleged-medibank-hacker-aleksandr-ermakov/