Shadowy world of ransomware-for-hire revealed by online account activity linked to the Medibank hack

When the UK, the US and Australia announced sanctions against him this week over the ransom attack, they released details of several aliases he operated under.

Experts have now pieced together the online history of the accounts said to be linked to Ermakov, revealing a broader picture of his alleged cybercrime activity in the years leading up to the Medibank attack.

Cybercrime-for-hire

The hack on Medibank resulted in the personal details of 9.7 million current and former customers – including 5.1 million Medibank customers, 2.8 million ahm customers and 1.8 million international customers – being published on the dark web.

Additionally, health claims for about 160,000 Medibank customers, 300,000 ahm customers and 20,000 international customers were accessed. The information included service provider names and codes associated with diagnosis and procedures.

While the Optus hack drew the bulk of media attention in 2022, the Medibank was much worse in terms of the kind and scale of data exposed.

It’s unclear from government information what exactly Ermakov’s alleged role was, but experts suggest he may be one of a group of attackers. When the Australian government published its sanction notice under its relatively new Magnitsky-type powers, it listed four usernames Ermakov was also known as: GustaveDore, aiiis_ermak, blade_runner and JimJones.

Cybersecurity firm Intel471 pieced together the online history of the accounts, finding they had been active on cybercrime forums and in the cybercrime-for-hire economy, both as buyers and providers of ransomware.

Intel471 said that an account named JimJones advertised a malware development service on the Exploit forum in September 2020 and sought investors for ransomware development, claiming they would provide “ready-to-use” malware, with Jimjones taking 5% of ransoms paid. Although it is the same username it is not clear whether Ermakov himself was behind the account or these posts and the Guardian has been unable to contact him for comment.

Intel471 say they found evidence that the account also began seeking to hire unethical penetration testers – security workers who are hired by businesses to find network weaknesses before hackers do – specifically seeking the supply of login credentials that would allow ransomware attacks to be launched.

The home affairs minister, Clare O’Neil, alleged this week that Ermakov was believed to be a member of the REvil Russian ransomware group. However, it is unclear what ties he may have had to the group.

Intel417 analysed ransomware used by JimJones and associated threat actors and found it was ransomware developed by REvil, and the dark web blog where Medibank ransom demands and data were posted was one that had once been controlled by REvil.

But the 2022 Medibank breach happened after the Russian security agency, the FSB, cracked down on REvil and the group’s activities ceased online. Intel471 suggested this meant the Medibank hacker was likely an associate of that group, rather than a member.

The hackers were allegedly seeking US$10m from Medibank but the ransom was never paid.

The Australian government launched a “hack the hackers” taskforce, and the Australian Signals Directorate, the Australian Federal Police and companies such as Microsoft and CyberCX worked quickly to identify who they believed to be behind the attack. In late 2022, due to what the acting director general of ASD, Abi Bradshaw, told Nine News this week was “sloppy tradecraft”, they identified the alleged hacker.

The AFP commissioner, Reece Kershaw, said in November 2022: “We know who you are.” The organisation sought the cooperation of Russian law enforcement, but it would take more than a year before the sanction was announced.

Naming and shaming

CyberCX’s chief strategy officer, Alistair MacGibbon, told Guardian Australia it was appropriate that police attempt to get cooperation from Russian authorities in the first instance. He said the next step could be criminal charges against Ermakov, albeit in absentia.

In the meantime, sanctions make it illegal to provide assets to Aleksandr Ermakov, or to use or deal with his assets, including through cryptocurrency wallets or ransomware payments.

Bradshaw said on Tuesday the naming would harm his ability to do business. Intel471 analyst Jeremy Kirk said sanctions make things much harder.

“Naming-and-shaming actions like the government did in this case also raise [alleged] cybercriminals’ profiles,” he said. “Even in countries that are a safe haven for [alleged] cybercriminals, being prominently identified as one isn’t desirable. It makes continuing operations more difficult, as others in the cybercriminal world are reluctant to starting working with someone who is closely monitored.”

MacGibbon said it would hurt Ermakov outside of Russia.

“The[y] hope to be able to have assets and holidays and other things in other locations,” he said. “And this dramatically reduces the utility of whatever money [Ermakov] has made.”

“It’s a significant move in the right direction by Australia to put pressure on him.”

MacGibbon said if criminal charges are later made against Ermakov, it would be harder to travel.

“The criminal law doesn’t have to necessarily reach into Russia for this guy to get caught at some stage because if he goes outside Russia and he goes to a cooperating third country, which often people do, and the Australian government and its allies find out he will be in a world of hurt.”

MacGibbon said the decision to name the alleged cybercriminal showed a maturity in the Australian government’s handling of cybersecurity.

“We celebrate that the Australian government has taken this action … for far too long people seem to think is just some guy in a basement with a hoodie on,” he said.

“It actually gives a sense of comfort that people can be identified.”