On Monday Australian health insurer Medibank announced via an ASX release that they would not be paying the ransom demand for data theft activities that occurred in mid-October. This decision was made after consulting cybercrime experts, who indicated to the company that paying the ransom would not guarantee customer data would be kept confidential, but is likely to prompt the threat actor to perform follow-on extortion on the customers whose data was stolen. On October 12th, Medibank detected the “precursors to a ransomware event,” which prompted their IT team to initiate ransomware response procedures. This quick response prevented a ransomware event, but not before the attackers exfiltrated customer data. ThreatWatch has previously covered the extent of the data exfiltrated on October 27th. The threat actors refer to themselves as Sodinokibi, which was previously used by the now-shuttered REvil ransomware gang, and calls the operation BlogXX. Between their naming and the encryptor used by the BlogXX operation sharing source code with REvil’s encryptor, researchers believe this is either a relaunch of REvil or a new group with ties to REvil.
Companies have a few options when it comes to detecting unauthorized access of files, which may have helped catch the attack before a significant amount of customer data was exfiltrated in this case. Canary tokens can be leveraged to create files that appear highly valuable but create an alert when accessed. Companies can also implement canary accounts, baiting attackers into logging into accounts that trigger an alert on a successful login, that appear to be used for accessing critical data. Many data classification solutions also offer restrictions on the times during which groups of users can access data, and can help provide a behavioral baseline on what normal usage looks like to identify abnormal access. Netflow data can also be used to establish a baseline of network traffic to better identify data exfiltration or command and control (C2) traffic.