The REvil Ransomware Gang's Attack on Medibank

The REvil ransomware gang has attacked Medibank. Medibank is one of the largest Australian private health insurance providers, covering over 3 million people and boasting nearly 4000 employees. The health insurance organization refused to meet REvil’s ransom demands, resulting in the ransomware gang publishing 200GB of stolen data in a 5GB compressed file to their data leak site.

A Medibank spokesperson said in a statement: “While our investigation continues there are currently no signs that financial or banking data has been taken, and the personal data stolen, in itself, is not sufficient to enable identify and financial fraud. The raw data we have analysed today so far is incomplete and hard to understand.”

REvil's Background and Tactics

REvil, who first emerged in 2019, is assessed to be the successor of the defunct criminal gang GandCrab and to be responsible for some of the biggest attacks on record, including the supply-chain ransomware attack against Kaseya and meatpacker JBS. REvil is also assessed to be connected to the now-defunct DarkSide group that disrupted energy giant Colonial Pipeline.

REvil invested a lot into the development and improvement of the platform and is known to use several security tool evasion techniques, such as leveraging the anti-rootkit tool GMER to disable security software as well as hard-coded checks to assure the target is not located in a Russian-aligned Commonwealth of Independent States (CIS) country.