Russian hacker-linked REvil behind 2022 Australian cyberattack also targeted Hong Kong’s Dairy Farm
- REvil allegedly demanded a US$30 million ransom from Hong Kong-based retailer Dairy Farm during its 2021 cyberattack
- The Australian government says exposing the identity of Russian hacker Aleksandr Ermakov would stop him and his cyberbusiness
Notorious ransomware cybercriminal group, REvil, linked to Russian hacker Aleksandr Ermakov who has been named as the perpetrator of a prominent Australian cyberattack in 2022, was also responsible for an attack on Hong Kong-based retailer Dairy Farm previously.
The Australian government on Tuesday named and sanctioned Ermakov for the 2022 ransomware attack on Medibank that led to 9.7 million personal records stolen after the Australian insurer did not pay the ransom. Some of Medibank’s records were published on the dark web.
Canberra confirmed Ermakov was linked to REvil, which executed attacks globally between 2020 and 2021 including one on Dairy Farm group in 2021 while demanding an alleged ransom of US$30 million.
It is not clear whether Dairy Farm paid the ransom. Dairy Farm did not respond to a request for comment.
The Russian-based ransomware-as-a-service (RaaS) operation REvil, or short for “Ransomware Evil”, was dismantled by Russian authorities in early 2022, following pressures by other governments including the US to force the group offline.
The group hurt many organisations when it executed a ransomware attack on a software package developed by US-based Kaseya in 2021.
In 2021, the group also attacked Australia-based global beef producer JBS and crippled its global supply chains before the company paid US$11 million as ransom.
Unlike JBS, Medicare did not pay a ransom and data hacked from its site was later publicly published in one of the most prominent cyberattacks in Australia. Later that year, another cyberattack rendered Australian telco Optus vulnerable when another 10 million personal records were stolen.
Australia topped the list of ransomware attacks in Asia-Pacific between 2021 and 2022, according to Singapore-based cybersecurity group Group-IB.
The Australian government said exposing Ermakov’s identity would disarm him and his cyberbusiness as such criminals leverage anonymity.
“We have named him for the first time globally, and his identity now being completely plain is on display for every agency around the world, but also anybody who is seeking to operate with him, so this will have a very significant impact on Aleksandr Ermakov,” deputy prime minister Richard Marles said in a press conference on Tuesday.
Canberra has imposed a targeted financial sanction and a travel ban on Ermakov. Dealing with Ermakov or his assets such as cryptocurrency wallets or ransomware payments will be a criminal act punishable by up to 10 years’ imprisonment and heavy fines.
But Canberra acknowledged that targeting Ermakov would not completely abolish future cyber criminal groups as these gangs were “dynamic and have multiple partners”.
“So a disruption of REvil at one point in time doesn’t cease its business,” said Abigail Bradshaw, head of the Australian cybersecurity centre.
Indeed, Group-IB said REvil’s model, which depended on so-called “affiliates” or individuals with ready-to-use kits for ransomware deployment, has allowed it to repeat its crimes despite crackdowns by law enforcement.
“REvil was one of the old-timers of the ransomware industry,” Feixiang He, Adversary Intelligence Research Lead at Group-IB, said.
“[But] as of 2023, without a doubt, the LockBit gang stands out as the most dominant force in the illicit ransomware market.”
According to He, LockBit topped the list of the “most aggressive” ransomware collectives in Asia-Pacific last year, when the gang released information on more than 1000 victims on its Dedicate Leak Site.
01:48
Notorious ex-hacker hired by Vietnam’s cybersecurity agency to teach others on dangers of hacking
“Hacktivist” groups, or criminal groups which carry out cyberattacks in support of political causes, such as “Cyber Error System”, “Esteem Restoration Eagle”, and “Team Insane PK” were also on the rise, He said.
Companies need to conduct underground monitoring capabilities as part of their threat intelligence programmes and be able to promptly detect the sale of their credentials or unauthorised access to their networks, according to He.
Group-IB flagged other digital risk trends last year including the rapid breeding of cybercriminal groups on social media or chat groups such as Telegram, and the significant use of cryptocurrency in the cybercriminal world.
