[EXPLAINER] Medusa attack against PhilHealth: A wake-up call for gov’t agencies

Miguel Hanz L. Antivola, Reporter

The Philippine Health Insurance Corp. (PhilHealth) recently fell victim to a ransomware attack orchestrated by a notorious cybercriminal gang.

The breach was detected by PhilHealth on Sept. 22, and subsequent investigations pointed to the Medusa group as the culprit.

“The attackers allegedly infiltrated PhilHealth’s systems, stole sensitive data, used the Medusa trojan to encrypt files, and demanded a ransom for decryption keys, threatening to leak sensitive data if not paid,” Vladimir Kuskov, head of anti-malware research at Russian cybersecurity company Kaspersky, said in an interview with BusinessWorld on Thursday.

“This double-extortion tactic amplifies the pressure on victims,” he added regarding the Medusa group’s threat to leak PhilHealth’s data on its blog on Tor, an anonymous open-source network, in exchange for $300,000.

UNCLEAR MOTIVES
While the attackers’ main goal appears to be financial gain through ransom payments, their precise motivations remain unclear.

“The specific intent behind this attack, beyond financial gain, remains unclear and could range from causing disruption to seeking publicity,” Mr. Kuskov said.

Kaspersky said in a press statement that modern strains of ransomware, such as Medusa, are typically sold through the ransomware-as-a-service model. 

“This means that hacker groups responsible for the attacks share a percentage of their ransom payouts with the malware authors.”

DURATION OF THE ATTACK
The Medusa ransomware had been silently lurking within PhilHealth’s systems since June, according to DICT Undersecretary Jeffrey Ian C. Dy.

Leaked notes and worksheets contained personal data mostly of PhilHealth employees over members, he said in an interview reported by CNN Philippines.

Emmanuel R. Ledesma, Jr., president and chief executive officer of PhilHealth, said in a statement on Sept. 22 that the organization had implemented “containment measures,” which involved temporarily shutting down their systems while an investigation was being conducted with the DICT and the National Privacy Commission (NPC).

Upon knowledge of the breach, the National Computer Emergency Response Team implemented “the disconnection of workstations from the network, prompt coordination with PhilHealth to gauge the extent of the attack, and collection of relevant logs for thorough analysis,” the DICT said in a Sept. 28 statement.

“As of Sept. 25, PhilHealth’s critical web services are only accessible via their IP addresses, and currently, ongoing comprehensive security scanning,” the agency said.

“Efforts to restore the functionality of PhilHealth’s DNS server are underway,” it added.

PhilHealth was expected to provide a complete notification report to the NPC on Sept. 27, five days after the breach, as per the commission’s Circular No. 2016-03 on personal data breach management.

The NPC issued orders for PhilHealth to appear at a hearing and undergo an onsite investigation to evaluate the breach’s impact, “with a primary focus on protecting the interest of the affected beneficiaries and contributors,” it said in a Sept. 25 press statement.

CYBERSECURITY RECOMMENDATIONS
While containment measures and investigations are underway, the incident underscores the urgency of proactive cybersecurity measures and the need for organizations to remain vigilant in safeguarding sensitive data against digital threats, according to Mr. Kuskov, the malware expert.

He said that any organization can bolster its cybersecurity by limiting remote desktop services exposure, enforcing strong passwords, and ensuring timely software updates to mitigate vulnerabilities that could be exploited by ransomware actors.

“Emphasizing the detection of lateral movements and data exfiltration, regular data backups, and utilizing the latest threat intelligence are crucial,” he noted.

“A comprehensive, proactive approach, integrating advanced security solutions and continuous employee training, is essential to safeguard sensitive data and uphold public trust amidst the evolving threat landscape.”

“This involves enhancing infrastructure, fostering collaboration for intelligence sharing, and updating policies to align with the evolving cyber threat landscape,” he added.

Government agencies, he said, should adopt a cyberimmunity approach, ensuring systems are inherently resilient to threats.