Russian National Sanctioned for Medibank Ransomware Attack
A Russian national who was involved in a ransomware attack on the Australian health insurance provider Medibank in 2022 has been sanctioned by the governments on Australia, the United States, and the United Kingdom.
Alexander Ermakov (aka blade_runner, GistaveDore, GustaveDore, or JimJones), 33, is believed to have been a member of the now-disbanded ransomware group REvil. REvil was one of the most notorious cybercriminal groups until July 2021 when the group ceased operations and disappeared. Prior to that, the group was a ransomware-as-a-service group that encrypted appropriately 175,000 computers and was paid an estimated $200 million in ransom payments from its attacks.
In October 2022, REvil gained access to the Medibank network and stole the data of approximately 9.7 million of its customers and then used ransomware to encrypt files. The stolen data included names, dates of birth, Medicare numbers, and highly sensitive medical information including mental health, sexual health and drug use data.
As a Russian national, Ermakov is unlikely to face justice for the Revil attacks as there is no extradition treaty with Australia, the United States, or the United Kingdom and Ermakov is unlikely to travel to any country where there is a risk of arrest. The U.S. Department of the Treasury criticized Russia for allowing ransomware gangs to operate within its borders and freely conduct attacks around the world, and for enabling ransomware attacks by cultivating and co-opting criminal hackers. The Treasury has called for Russia to take concrete steps to prevent cyber criminals from freely operating in its jurisdiction.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The sanctions mean that it is a criminal offence to provide any assets to Ermakov or to use or deal with any of his assets, which includes making ransom payments through cryptocurrency wallets. Australia was the first to sanction Ermakov, closely followed by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the UK government. OFAC said all property and interests in property of Ermakov that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC. Any entities that are directly or indirectly 50% or more owned by Ermakov are also blocked. Violation of the sanctions is punishable by up to 10 years’ imprisonment.
“Russian cyber actors continue to wage disruptive ransomware attacks against the United States and allied countries, targeting our businesses, including critical infrastructure, to steal sensitive data,” said Under Secretary of the Treasury Brian E. Nelson. “Today’s trilateral action with Australia and the United Kingdom, the first such coordinated action, underscores our collective resolve to hold these criminals to account.”
