Shadowy world of ransomware-for-hire revealed by online account activity linked to the Medibank hack | Medibank
Who is the hacker being linked to the Medibank cyberattack?
The government has named 33-year-old Aleksandr Gennadievich Ermakov, a Russian citizen, IT worker and alleged cybercriminal, in new sanctions legislation in connection with the most damaging cyberattack on Australians in 2022.
When the UK, the US and Australia announced sanctions against him this week over the ransom attack, they released details of several aliases he operated under.
Experts have now pieced together the online history of the accounts said to be linked to Ermakov, revealing a broader picture of his alleged cybercrime activity in the years leading up to the Medibank attack.
Cybercrime-for-hire
The hack on Medibank resulted in the personal details of 9.7 million current and former customers – including 5.1 million Medibank customers, 2.8 million ahm customers and 1.8 million international customers – being published on the dark web.
Additionally, health claims for about 160,000 Medibank customers, 300,000 ahm customers and 20,000 international customers were accessed. The information included service provider names and codes associated with diagnosis and procedures.
While the Optus hack drew the bulk of media attention in 2022, the Medibank was much worse in terms of the kind and scale of data exposed.
It’s unclear from government information what exactly Ermakov’s alleged role was, but experts suggest he may be one of a group of attackers. When the Australian government published its sanction notice under its relatively new Magnitsky-type powers, it listed four usernames Ermakov was also known as: GustaveDore, aiiis_ermak, blade_runner and JimJones.
Cybersecurity firm Intel471 pieced together the online history of the accounts, finding they had been active on cybercrime forums and in the cybercrime-for-hire economy, both as buyers and providers of ransomware.
Intel471 said that an account named JimJones advertised a malware development service on the Exploit forum in September 2020 and sought investors for ransomware development, claiming they would provide “ready-to-use” malware, with Jimjones taking 5% of ransoms paid. Although it is the same username it is not clear whether Ermakov himself was behind…