US sanctions Russian citizen accused of playing key role in Medibank ransomware attack
The U.S. government sanctioned a Russian national for allegedly playing a “pivotal role” in the ransomware attack against Australian health insurance giant Medibank that exposed the sensitive information of almost 10 million patients.
Thirty-three-year-old Alexander Ermakov, who has also been sanctioned in Australia and the United Kingdom, stands accused of infiltrating Medibank’s network in October 2022 to steal personally identifiable information (PII) and sensitive health data linked to approximately 9.7 million customers.
This data, which was published on the dark web after Medibank refused to pay the hackers’ $10 million ransom demand, included customers’ names, birth dates, passport numbers, information on medical claims, and sensitive files related to abortions and alcohol-related illnesses. The breach is believed to have impacted several high-profile Medibank customers, including senior Australian government lawmakers.
Ermakov was first named on Tuesday by the Australian government, which has “worked tirelessly over the past 18 months to unmask those responsible for the cyberattack on Medibank,” Richard Marles, deputy prime minister and defense minister, said in a statement.
The U.S. Treasury Department sanctioned Ermakov shortly after the Australian government imposed first-of-its-kind sanctions against the Russian national. These sanctions, the first to be issued under Australia's new cyber sanctions framework, make it a criminal offense, punishable by up to 10 years imprisonment and heavy fines, to provide assets to Aleksandr Ermakov or to use or deal with his assets, including through cryptocurrency wallets or ransomware payments.
Ermakov and the other hackers behind the Medibank breach are believed to be linked to the Russia-backed cybercrime gang REvil, which was previously linked to the 2021 hack of Florida-based managed service provider Kaseya that encrypted thousands of its customers’ networks.
According to the U.S. Treasury, REvil ransomware has been deployed on approximately 175,000 computers worldwide, garnering at least $200 million in ransom payments.
In January 2022, Russia’s Federal Security Service (FSB) intelligence agency said it had detained multiple people associated with REvil at the request of the U.S. authorities. The FSB’s surprise operation came just months after the U.S. Department of Justice charged a 22-year-old Ukrainian citizen linked to the REvil ransomware gang due to his alleged role in the Kaseya attack.