Financial sanctions have been imposed on Alexander Ermakov, a Russian national [1] [2] [3] [4] [6], by the governments of Australia, the UK [1] [7] [8], and the US for his alleged involvement in the 2022 ransomware attack against Medibank Private Limited [5], an Australian healthcare insurer [3] [4] [5] [6]. This coordinated action demonstrates their commitment to holding cyber criminals accountable [7].
Description
Ermakov is accused of infiltrating Medibank’s network in October 2022 and stealing personally identifiable information (PII) and sensitive health data of approximately 9.7 million customers [3] [4]. The stolen data [3] [4], which included names [3] [4], birth dates [3] [4], passport numbers [3] [4], medical claims information [1] [3] [4], and sensitive files related to abortions and alcohol-related illnesses [3] [4], was published on the dark web after Medibank refused to pay a $10 million ransom [3] [4].
As part of the sanctions [1], it is now a criminal offense to provide assets to Ermakov or to use or deal with his assets [1] [4], including through cryptocurrency wallets or ransomware payments [1] [4]. The offense carries a maximum penalty of 10 years’ imprisonment [1]. The Australian government has also imposed a travel ban on Ermakov [1]. The UK government stated that the sanctions are part of their efforts to counter cybercriminal activity from Russia [1]. The US Department of the Treasury called out Russia for enabling ransomware attacks and urged the country to take action to prevent cyber criminals from operating freely within its jurisdiction [1].
Ermakov and the other hackers involved in the Medibank breach are believed to be linked to the Russia-backed cybercrime gang REvil [4], which has been responsible for deploying ransomware on approximately 175,000 computers worldwide and collecting at least $200 million in ransom payments [4]. The summary also mentions the 2021 hack of Florida-based managed service provider Kaseya [4], which was also attributed to REvil [4]. In January 2022 [4], Russia’s Federal Security Service detained multiple individuals associated with REvil at the request of US authorities [4].
Russia has been known to provide a safe haven for ransomware actors like Ermakov [5], allowing them to freely carry out cyber attacks [5]. The Treasury has emphasized the need for Russia to take concrete steps to prevent cyber criminals from operating within its jurisdiction [5]. The Australian government has used its cyber sanctions framework for the first time to impose financial penalties on Ermakov, marking a significant step in holding individuals accountable for cyber attacks. The breach at Medibank Private in 2022 resulted in the theft of personal information from 9.7 million customers [8], including names [3] [4] [8], dates of birth [8], Medicare numbers [8], and sensitive health information [1] [3] [4] [6] [8]. Ermakov has been identified as responsible for the attack by the Australian Signals Directorate and the Australian Federal Police [8]. The sanctions prohibit the provision of any assets [8], including cryptocurrency and ransom payments [8], to Ermakov and carry a maximum penalty of 10 years in prison [8]. Home Affairs Minister Claire O’Neil described the Medibank breach as the most devastating cyber attack in Australia’s history and emphasized the government’s commitment to holding cyber criminals accountable [8]. Authorities are also investigating other Russian cyber gangs involved in threatening Australia [8], with cooperation from cyber authorities in the US and UK [8]. Medibank expressed gratitude to the government for identifying Ermakov and implementing sanctions [8]. The Australian government collaborated with various intelligence agencies and companies during the investigation [2]. While the disruption of REvil may not cease its activities entirely [2], publicly naming Ermakov is expected to harm his operations [2]. Investigations into other individuals involved in the attack are ongoing [2]. Australian authorities have urged against paying ransoms to cyber criminals [2], as it does not guarantee data recovery or prevent further attacks [2].
Conclusion
The financial sanctions imposed on Alexander Ermakov for his alleged involvement in the Medibank ransomware attack highlight the commitment of the Australian, UK [8], and US governments to combat cybercrime. These sanctions serve as a deterrent and demonstrate the consequences faced by cyber criminals. The collaboration between intelligence agencies and companies in the investigation showcases the importance of international cooperation in addressing cyber threats. While the disruption of REvil may not completely halt their activities, the identification and public naming of Ermakov is expected to hinder his operations. It is crucial for Russia to take concrete steps to prevent cyber criminals from operating within its jurisdiction [5]. The Australian government’s use of cyber sanctions marks a significant step in holding individuals accountable for cyber attacks. It is important for individuals and organizations to refrain from paying ransoms to cyber criminals, as it does not guarantee data recovery or prevent future attacks [2].
References
[1] https://thehackernews.com/2024/01/us-uk-australia-sanction-russian-revil.html
[2] https://edition.cnn.com/2024/01/23/tech/medibank-attack-australia-sanction-revil-intl-hnk/
[3] https://news.yahoo.com/us-imposes-sanctions-russian-hacker-191345229.html
[4] https://techcrunch.com/2024/01/23/us-sanctions-russian-citizen-accused-of-playing-key-role-in-medibank-ransomware-attack/
[5] https://home.treasury.gov/news/press-releases/jy2041
[6] https://www.upi.com/Top_News/US/2024/01/23/Australia-Britain-sanction-Russian-cybercriminal/2291706065624/
[7] https://www.abc.net.au/news/2024-01-24/us-uk-join-australia-hit-russian-man-sanctions-medibank-breach/103382478
[8] https://www.abc.net.au/news/2024-01-23/australian-government-sanctions-russian-over-medibank-data-leak/103377976?sf271438979=1
