PhilHealth cyberextortion

“Proof of life” describes exactly last week’s initial exposure of the Philippine Health Insurance Corporation’s (PhilHealth) stolen data trove.

In fact, cybersecurity pros quickly demand — and their cybercriminal nemeses often quickly provide — “proof of life” each time there’s a “ransomware” hit like what miserable PhilHealth officials are presently struggling with.

“Proof of life” then isn’t a fanciful ploy for gaining attention. Cybersecurity pros call it what it really is: “ransomware” is kidnapping updated for the digital age.

And, much as kidnap gangs seize human beings and demand ransom, cybercrime gangs infiltrate computers, seize data, lock the data, and extort money to have the stolen data returned.

As an Internet-based criminal activity, cybersecurity experts categorize “ransomware” as one of the world’s most pervasive and lucrative, such that attacks are said to occur every 14 seconds on government bodies and private corporations worldwide.

In PhilHealth’s case, investigators understandably can’t yet give extensive details of the 22 September attack, which forced the state health insurer to go offline for a few days.

Initial details, however, indicate an unidentified cyber gang likely used a common ploy like phishing — sending deceptive emails with malicious attachments called malware — to infiltrate PhilHealth’s computer servers and workstations.

The hackers apparently succeeded and were able to detonate an encrypted “ransomware” operation called “Medusa,” which happens to be just one of the thousands of known “ransomware” packages out there.

According to Bleeping Computer’s website — the cybersecurity equivalent of an 18th-century Parisian salon where the best minds exchange ideas about “ransomware” — “Medusa” operations began picking up steam this year, with the PhilHealth attack probably the latest publicized local victim.

Suffice it here to know that the encrypted “ransomware” that PhilHealth’s technical people are laboring against is what computer geeks technically call a “static encrypted file extension of “MEDUSA.”
Unfortunately, Bleeping Computer’s Lawrence Abrams, in a 12 March 2023 update, says the “Medusa Ransomware” encryption has no known weaknesses that would allow victims to freely recover their purloined files without paying the ransom.

If the “Medusa Ransomware” isn’t cracked soon, PhilHealth courts unprecedented disaster.

Anyway, the unknown cyber gang was demanding a $300,000 (approximately P17 million) ransom, probably in cryptocurrency like bitcoin, and it gave PhilHealth officials a ten-day deadline, ending on 3 October.

There was a 10-day deadline since the cyber attackers gave PhilHealth officials differently priced ransom options.

Investigators say PhilHealth officials were given a $100,000 ransom option for extending the original 3 October deadline if the $300,000 ransom could not be met.

PhilHealth officials initially dismissed the attack as nothing but a bluff and refused to pay up.

But after the 10-day standoff, it was painfully clear that there was “proof of life.” The unknown cyber gang began releasing on 3 October some of the stolen data, first through a secretive Dark Web site called “Medusa Log” and later on the publicly accessible Telegram messaging app.

Despite PhilHealth’s assurances that its crucial databases containing personal details of its members were intact and secure, investigators couldn’t categorically determine the true extent of the data theft and its impact on PhilHealth members.

The country’s privacy commission says the data trove stolen was “staggering.”

As such, government investigators warned that cyber gangs specializing in Internet and text scams and identity theft might use PhilHealth’s stolen data for their nefarious schemes.

But it must also be emphasized that “ransomware” is a simple concept, and its execution is highly profitable.

Before the emergence of “ransomware,” hackers who breached secure computer systems still had a lot of work to do, like finding shadowy buyers for the stolen data before they could cash in.

“Ransomware” gangs, which rely on a victim’s reliance on computers for everything, need not go to that extent, simply demanding ransom would do.

And, with “ransomware” gangs easily buying “ransomware” packages off the Dark Web, we fear the PhilHealth case is merely the beginning of a cyber-kidnapping wave.

Leave a Reply

Your email address will not be published. Required fields are marked *