On Monday Australian health insurer Medibank announced via an ASX release that they would not be paying the ransom demand for data theft activities that occurred in mid-October. This decision was made after consulting cybercrime experts, who indicated to the company that paying the ransom would not guarantee customer data would be kept confidential, but is likely to prompt the threat actor to perform follow-on extortion on the customers whose data was stolen. On October 12th, Medibank detected the “precursors to a ransomware event,” which prompted their IT team to initiate ransomware response procedures. This quick response prevented a ransomware event, but not before the attackers exfiltrated customer data. ThreatWatch has previously covered the extent of the data exfiltrated on October 27th. The threat actors refer to themselves as Sodinokibi, which was previously used by the now-shuttered REvil ransomware gang, and calls the operation BlogXX. Between their naming and the encryptor used by the BlogXX operation sharing source code with REvil’s encryptor, researchers believe this is either a relaunch of REvil or a new group with ties to REvil.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in