Hacks Like The Medibank Data Breach Are Part Of A Sophisticated Underground Business
Modern hacking crews boast public-facing websites, featuring FAQ sections and even chatbots to help you convert your ransom into bitcoin.
“After considering all options, we have made a decision that we cannot pay your demand,” reads the reply from a Medibank media representative to a hacker group sent on November 7th.
“We understand the impact this might have.”
The exchange feels almost cordial; like a company turning down a pitch from an advertising agency. But it signals that the negotiations over the biggest cache of Australian user information in history have just come to a close.
In case you missed it, personal information like phone numbers and physical addresses, as well as highly private medical records and passport numbers for over 9.7 million customers of Medibank were stolen last month.
The highly sophisticated hack has led to a renewed discussion about the corporate responsibility to protect customer information, with Prime Minister Anthony Albanese presenting legislation that would fine companies $50 million for repeatedly letting user data fall into the wrong hands.
But more than that, the attack signals that hacking outfits have skilled up, with experts remarking that they almost resemble professional businesses. In fact, paying a ransom on the deep web nowadays is probably easier than renewing your car registration, and with a more appealing website to boot!
“Hackers Have All The Same Motivation Mainstream Businesses Have”
Perhaps the biggest indicator of the organisation hacking groups have achieved in recent years is that it is now commonplace for these covert groups to have public facing business websites on the deep web. One of the most notorious ransomware crews, LockBit, boast a website with graphic design and support infrastructure that rivals your bank, complete with chatbots to guide new “users” through the process of purchasing bitcoin to pay for the safe release of stolen private files.
Like many businesses, customer service is key. Is this your first ransom and you’ve never bought Bitcoin before? No problems, there’s a helpful page for that… which feels just like any normal help page on a legit website: pic.twitter.com/OpAE5sVUqi
— Troy Hunt (@troyhunt) November 7, 2022
Online security expert and regional director with Microsoft, Troy Hunt says that to understand the true scale of the threat posed by modern hackers, you need to see them for what they are: booming businesses.
“They’re running an enterprise here, and trying to figure out the highest and best return they can get on their asset,” Hunt says.
“It makes good sense for them to run it like a business, even down to having chatbots and support systems and things like that. And why wouldn’t you? Hackers have all the same motivations that a mainstream business has, they want people to have trust, they want it to be easy to purchase the product, and they want to provide good customer support.”
This business sense even applies to how the ransom itself is decided. For example, the individuals behind the Medibank attack reduced their initial request for $10 million down to $9.7 million, so the company would only have to pay $1 per customer.
“Looking at it through the lens of a business, it seems like a reasonable ask. $9.7 million would be an easy case for Medibank to make, it’s already cost them many times that already. They’re positioning their ransom figure somewhere that makes financial sense,” explains Hunt.
Of course, this professionalism belies a merciless streak hacking groups are notorious for. Companies that fail to pay their ransom on time are leveraged with the most sensitive aspects of the stolen data available. In the case of Medibank, once negotiations were concluded, hackers promptly delivered on their promise to publicly list the names of policyholders that had claimed abortion procedures with the company.
“They want to make sure that people understand they deliver on their commitment,” Hunt says. “Pay the money or we’ll go to town on you.”
Who Are The Medibank Hackers And Should The Company Pay Their Ransom?
Medibank CEO David Koczkar explaining to ABC reporters that the company ultimately refused to negotiate with the hackers.
Hunt describes the people behind the Medibank attack as “ransomware crew 101”. While many have been quick to label the outfit as a rebranded version of a notorious Russian group named REvil, Hunt says the truth is probably more complicated.
“Inevitably it’s some of the same crew. But there’s a lot of people that drift around different ransomware gangs and different affiliates, just like people do in real life,” Hunt says.
Hunt says that the power dynamics of ransom attacks have changed in recent years. Once upon a time, ransomware attacks were really quite simple. Rather than stealing data from companies, hackers would simply lock companies out of their data. The name ‘ransomware’ was derived from signature virus programs that would brick companies’ computer infrastructure data, requiring the victim to purchase a key from their ransomer.
Medibank cybercrime update: today we’ve announced we will not pay the ransom to the criminal responsible for the data theft. A decision based on extensive advice we’ve received from cyber experts & consistent with the position of the Australian governmenthttps://t.co/FUYAN49uWo
— Medibank (@medibank) November 6, 2022
Today, attacks like the Optus and Medibank hack where hackers steal entire caches of businesses’ user data have become much more prevalent, despite the fact that companies are much more hesitant about paying a ransom for data that criminals already have in their possession.
“[Companies] have no guarantees that the product – which in this case is the destruction of records – is going to be delivered,” Hunt says.
“You just have a cyber hacker on the other side of the world going ‘trust us mate, we’re going to delete it’.”
But even if businesses are wary of paying these ‘reasonable’ ransoms, there are plenty of other buyers out there. From fellow criminals seeking to purchase the data to profit by ransoming individuals named in the data personally, to other hackers keen on using the information to tailor highly believable phishing attacks, Hunt says there is no shortage of interested buyers.
“It’s just a question of price,” Hunt says. “Now that this data has spread out there publicly, it will then be used for all sorts of abusive purposes, which is terrible but also inevitable.”
Sadly, a case study of why companies should never pay these ransoms came after a teenager was arrested in relation to the recent Optus data leak this week. Telling the courts he was looking to make some “quick money”, the 19-year-old Sydney teenager pleaded guilty to attempting to extort victims of the Optus data leak after accessing their contact information via the the dark web.
Could Australian Data Laws Be The Key To Stopping Future Hacks?
Federal Attorney General Mark Dreyfus has signalled that Australian privacy laws will be changing in response to the recent high-profile data breaches.
A broader conversation is being had by privacy experts and lawmakers about how changing Australian data laws to make hacks like the one Medibank suffered more difficult to conduct. While Troy agrees that a review of data retention laws in Australia is needed, he admits that he’s stumped when it comes to the example of the Medibank breach.
“If we take the case of Medibank, the sort of data that is being leaked is the sort of data that a healthcare provider needs to have,” Hunt says. “They need to have your name, your email address, and your phone number. They need to know your previous conditions, they need to record if there were any payouts.”
“I’m honestly struggling in the case of Medibank to think of what data has been leaked that wasn’t actually necessary for the company to have in the first place.”
Could the data at least have been secured with stronger encryption, making it impossible for hackers to decipher once stolen? Sadly, as Troy puts it, the problem with encryption is decryption. Because encrypted data still needs to be decrypted regularly to be actually functional, there will always be a point of vulnerability hackers will seek out to bypass the encryption altogether.
Ironically, while hacking outfits begin to resemble businesses, Hunt says Australian companies routinely send text and email promotions that are “indistinguishable” from phishing schemes.
“We’ve got organisations that just don’t know how to craft messages that are consistent with advice from InfoSec recommendations on how to avoid scams. Is it any wonder that we’re in this problem?”
Charles Rushforth is a staff writer at Junkee. Follow him on Twitter.