Medibank Refuses to Pay Ransomware Gang to Prevent Release of Customer Data

In October, Medibank, one of the largest private health insurers in Australia, suffered a ransomware attack that involved the theft of the data of almost 10 million customers. The group behind the attack is thought by some security researchers to be the notorious REvil ransomware gang. The new operation is known as BlogXX, after the name of the website used by the group. In conversations with victims, the group calls itself Sodinokibi – a previous name used by REvil – and the source code for the ransomware is based on REvil. Whether this is an offshoot of REvil or a rebrand remains to be seen, but the tactics used by both operations are similar. The group exfiltrates sensitive data before encrypting files and then threatens to publicly release the stolen data if the ransom is not paid. Medibank has recently stated publicly that it has no intention of paying the ransom. What is currently at stake is the personally identifiable information of 9.7 million of its current and former customers.

According to Medibank, its forensic investigation has confirmed that the group exfiltrated files from its systems that contained the names, birth dates, addresses, phone numbers, and email addresses of around 9.7 million current and former customers and some of their authorized representatives. Out of that number, 5.1 million individuals are current Medibank customers, 2.8 million are ahm customers, and around 1.8 million are international customers. The data includes the Medicare numbers of ahm customers, and passport numbers and visa details of international student customers, and a subset of individuals have had their health claims data, and/or healthcare provider information stolen. Some My Home Hospital patient (MHH) information was also accessed, although financial information is not believed to have been exposed or stolen.

“We unreservedly apologize to our patients who have been the victims of this very serious crime. We appreciate this will be distressing for you. We unreservedly apologize to our patients who have been the victims of this very serious crime,” explained Medibank in its website breach update.

On November 7, 2022, Medibank confirmed that it is not paying the ransom. Medibank’s view echos that of the Australian government and the Federal Bureau of Investigation, which discourage victims from paying ransom demands as there are no guarantees that the keys to decrypt data will be sent, that stolen data will be deleted and not be misused, and further, paying the ransom encourages further attacks.

“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.  In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” said Medibank in a statement. Medibank CEO David Koczkar did not disclose how much the attackers were demanding but said the figure was irrelevant. “The amount of money that was demanded is – actually, was – irrelevant to the decision. The decision was based on the expert cybercrime advice, said Koczkar.

Following the announcement, the ransomware gang said they would be releasing the stolen data within 24 hours on their dark web data leak site. Medibank has warned customers to remain vigilant and has suggested they may even be contacted directly by the group.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of