NOW IT’S CONFUSING: MEDUSA OR CONFUCIUS? DICT STILL IN THE DARK WHO HACKED PHILHEALTH

By Junex Doronio

AS MILLIONS OF PHILHEATH (Philippine Health Insurance Corporation) members were affected by the data breach in the system of the state insurer, this time the Department of Information and Communications Technology (DICT) gave a confusing statement, saying that it was the Confucius group — not Medusa — that uploaded a copy of over 600 gigabytes of files.

The copy was reportedly uploaded to a website and a Telegram channel after 4 p.m. on October 5, two days after the deadline for a payment of about $300,000 or approximately P17 million, ransom expired.

DICT Secretary Ivan Uy said the hackers may sell the leaked information to scammers and phishers considering that the perpetrators were not able to get the money they asked for.

“They will try to monetize the information by selling to scammers, to phishers para gamitin ‘yung data nila (to use their data),” he said.

On the other hand, DICT Undersecretary Jeffrey Dy said their analysis showed that there were no remnants of the Medusa malware in the members’ database.

Uy further said that investigators are still trying to identify if the hackers are Filipinos or foreigners.

“Sa tingin ko naman ‘yung local hindi sila maglalakas loob dahil mahahabol natin sila. Nasa loob ng ating jurisdiction,” he quipped.

Earlier, a video of the leaked information showed photos, bank cards, and transaction receipts of the victims, among others.

The DICT said that although the transaction data of some PhilHealth members were leaked but it assured the members’ database was not affected by the cyberattack. (ai/mnm)

By Junex Doronio

WHO WILL BLINK FIRST?

This is the question as there are only four more days to go before the shadowy Medusa ransomware group will release in public the data that it has hacked from the government health insurer Philhealth if the latter refuses to cough up $300,000 or roughly P17 million in ransom.

Cybersecurity expert Renzon Cruz has expressed apprehension that Medusa may release a lengthy video ranging from 30 to 50 minutes in the event of non-compliance from PhilHealth, flaunting a series of PII data and IDs across various social media platforms like X (Twitter), Telegram, and Facebook.

Cruz said Medusa is well equipped as it even has a public relations arm, identified as “OSINT without Borders”, which seems to function on reporting breaches and re-publishing stolen data.

Just like the wily mythological creature, the shadowy Medusa ransomware group reportedly collaborates with global affiliates, expanding its reach and impact.

According to thecyberexpress.com, since its emergence in June 2021, the Medusa ransomware group has remained a prominent concern for cybersecurity experts.

The PhilHealth hacking was confirmed by the National Privacy Commission (NPC) on Monday evening, September 25, saying it was notified by PhilHealth regarding a ransomware attack.

Philhealth, however, assured that only employee information was breached.

Last September 22, the Department of Information and Communications Technology (DICT) first bared the cyberattack on the PhilHealth database.

DICT Undersecretary Jeffrey Ian Dy said the $300,000 or roughly P17 million ransom is in exchange for three things, namely:

to hand over the decryption keys so the data can be accessed again;
to delete the data that they obtained and not publish these to the public; and
to give DICT a copy of the data which is in their possession.

DICT said it is working with PhilHealth and its outsourced cybersecurity vendors to complete the “clean up” of the system. (ai/mnm)

AS MANY of us Filipinos now know, Medusa is the ransomware group that launched an attack on PhilHealth’s cyber vulnerabilities recently.

To make matters worse, the country’s state insurer has been given a four-day ultimatum to comply with the demands of the cybercriminal group.

Medusa is accordingly demanding a $300,000 ransom, or P17,100,000 in Philippine configuration.

Any extension costs any victim like PhilHealth $10,000 per day according to published reports.

To better understand how Medusa operates and victimizes vulnerable targets please read on:

How Medusa operates

According to Lawrence Abrams from BleepingComputer, Medusa began targeting companies worldwide with multi-million-dollar ransom demands two years ago.

The ransomware operation, referred to as Medusa, gained significant momentum in 2023, specifically focusing on corporate victims with ransom demands in the millions.

While the Medusa operation was initiated in June 2021, it initially had limited activity with only a few victims.

However, in 2023, the ransomware group significantly escalated its operations and even established a “Medusa Blog” to release data from victims who refused to pay the ransom.

Medusa garnered media attention this year when it claimed responsibility for an attack on the Minneapolis Public Schools (MPS) district and shared a video containing stolen data.

In his latest BleepingComputer article, Abrams clarified that several malware families adopt the name Medusa, including a Mirai-based botnet with ransomware capabilities, a Medusa Android malware, and the well-known MedusaLocker ransomware operation.

It’s important to note that there has been confusion in reporting due to the common name, with many assuming it’s the same as MedusaLocker. However, the Medusa and MedusaLocker ransomware operations are distinct entities.

The MedusaLocker operation was launched in 2019 as a Ransomware-as-a-Service, involving numerous affiliates, a commonly used ransom note named “How_to_back_files.html,” and a wide range of file extensions for encrypted files. Negotiations for MedusaLocker typically occur on a Tor website at qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion.

On the other hand, the Medusa ransomware operation emerged around June 2021, using a ransom note named “!!!READ_ME_MEDUSA!!!.txt” and a static encrypted file extension of “.MEDUSA.” Negotiations for this operation also take place on a Tor website, specifically at medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion.

Regarding the encryption of Windows devices, Abrams explains that BleepingComputer has only been able to analyze the Medusa encryptor for Windows. It remains uncertain whether they have developed one for Linux systems at this time.

The Windows encryptor can be configured using command-line options, allowing threat actors to determine how files will be encrypted on the device as follows:

Command Line

Option | Description

For example, the -v command line argument will cause the ransomware to display a console, showing status messages as it encrypts a device.

In a regular run, without command line arguments, the Medusa ransomware will terminate over 280 Windows services and processes for programs that may prevent files from being encrypted. These include Windows services for mail servers, database servers, backup servers, and security software.

The ransomware will then delete Windows Shadow Volume Copies to prevent them from being used to recover files.

Ransomware expert Michael Gillespie also analyzed the encryptor and told BleepingComputer it encrypts files using AES-256 + RSA-2048 encryption using the BCrypt library.

Gillespie further confirmed that the encryption method used in Medusa is different than the one used in MedusaLocker.

When encrypting files, the ransomware will append the .MEDUSA extension to encrypted file names, as shown below. For example, 1.doc would be encrypted and renamed to 1.doc.MEDUSA.

In each folder, the ransomware will create a ransom note named !!!READ_ME_MEDUSA!!!.txt that contains information about what happened to the victim’s files.

The ransom note will also include extension contact information, including a Tor data leak site, a Tor negotiation site, a Telegram channel, a Tox ID, and the key.medusa.serviceteam@protonmail.com email address.

The Tor negotiation site is at http://medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion.

As an extra step to prevent the restoration of files from backups, the Medusa ransomware will run the following command to delete locally stored files associated with backup programs, like Windows Backup. This command will also delete virtual disk hard drives (VHD) used by virtual machines.

The Tor negotiation site calls itself “Secure Chat,” where each victim has a unique ID that can be used to communicate with the ransomware gang.

Like most enterprise-targeting ransomware operations, Medusa has a data leak site named ‘Medusa Blog.’ This site is used as part of the gang’s double-extortion strategy, where they leak data for victims who refuse to pay a ransom.

When a victim is added to the data leak, their data is not immediately published. Instead, the threat actors give the victims paid options to extend the countdown before data is released, to delete the data, or to download all of the data. Each of these options has different prices.

These three options are done to apply extra pressure on the victim to scare them into paying a ransom.

Unfortunately, no known weaknesses in the Medusa Ransomware encryption allow victims to recover their files for free.

Researchers will continue to analyze the encryptor, and if a weakness is found, we will report it at BleepingComputer.

(Jr. Amigo/ai/mnm)

By Junex Doronio

JUST LIKE IN THRILLER MOVIES, a shadowy cyber gang called Medusa has hacked the government health insurer PhilHealth and is now demanding $300,000, or around P17 million to unlock the breached database.

This was confirmed by the National Privacy Commission (NPC) on Monday evening, September 25, saying it was notified by PhilHealth regarding a ransomware attack.

PhilHealth, however, assured that only employee information was breached.

On Friday, September 22, the Department of Information and Communications Technology (DICT) bared the cyberattack on the PhilHealth database.

DICT Undersecretary Jeffrey Ian Dy said the $300,000 million ransom being demanded by the “Medusa” cyber gang is in exchange for three things, namely:

to hand over the decryption keys so the data can be accessed again;
to delete the data that they obtained and not publish these to the public; and
to give DICT a copy of the data which is in their possession.

DICT said it is working with PhilHealth and its outsourced cybersecurity vendors to complete the “clean up” of the system. (ai/mnm)