Authorities in Australia, the United Kingdom and the United States this week levied financial sanctions against a Russian man accused of stealing data on nearly 10 million customers of the Australian health insurance giant Medibank.
33-year-old Aleksandr Ermakov allegedly stole and leaked the Medibank data while working with one of Russia's most destructive ransomware groups, but little more is shared about the accused.
Here's a closer look at the activities of Mr. Ermakov's alleged hacker handles.
The allegations against Ermakov mark the first time Australia has sanctioned a cybercriminal.
The documents released by the Australian government included multiple photos of Mr. Ermakov, and it was clear they wanted to send a message that this was personal.
The attackers who broke into Medibank in October 2022 stole 9.7 million records on current and former Medibank customers.
When the company refused to pay a $10 million ransom demand, the hackers selectively leaked highly sensitive health records, including those tied to abortions, HIV and alcohol abuse.
The U.S. government says Ermakov and the other actors behind the Medibank hack are believed to be linked to the Russia-backed cybercrime gang REvil.
The sanctions say Ermakov went by multiple aliases on Russian cybercrime forums, including GustaveDore, JimJones, and Blade Runner.
A search on the handle GustaveDore at the cyber intelligence platform Intel 471 shows this user created a ransomware affiliate program in November 2021 called Sugar, which focused on targeting single computers and end-users instead of corporations.
Ru in Google is an Instagram post from a user named Mikhail Borisovich Shefel, who promotes Shtazi's services as if it were also his business.
A search for this email at DomainTools.com shows it was used to register just one domain name: millioner1[.
DomainTools further finds that a phone number tied to Mr. Shefel was used to register two domains: millioner[.
The Instagram account for Mr. Shefel includes images of stacked USSR-era Ruble notes, as well as multiple links to Shtazi.
Intel 471's research revealed Ermakov was affiliated in some way with REvil because the stolen Medibank data was published on a blog that had one time been controlled by REvil affiliates who carried out attacks and paid an affiliate fee to the gang.
By the time of the Medibank hack, the REvil group had mostly scattered after a series of high-profile attacks led to the group being disrupted by law enforcement.
In November 2021, Europol announced it arrested seven REvil affiliates who collectively made more than $230 million worth of ransom demands since 2019.
At the same time, U.S. authorities unsealed two indictments against a pair of accused REvil cybercriminals.
It is easy to dismiss sanctions like these as ineffective, because as long as Mr. Ermakov remains in Russia he has little to fear of arrest.
His alleged role as an apparent top member of REvil paints a target on him as someone who likely possesses large sums of cryptocurrency, said Patrick Gray, the Australian co-host and founder of the security news podcast Risky Business.
This Cyber News was published on krebsonsecurity.com. Publication date: Fri, 26 Jan 2024 18:16:27 +0000