Medibank ransomware (REvil-affiliated)

In October 2022, Russian-speaking attackers exfiltrated full health-claim records on 9.7 million current and former customers of Medibank Private, Australia's largest health insurer. The Australian government's response — including the first-ever Australian cyber sanctions against a named individual — and Medibank's refusal to pay the ransom shaped subsequent national policy on ransomware response.

What happened

The intrusion began with stolen credentials. In August 2022, an attacker purchased on a Russian-language criminal forum the credentials of a Medibank IT contractor with VPN access to the corporate network. The credentials had been harvested by an infostealer months earlier — a common origin for the credential market that fuels modern ransomware operations.

Critically, Medibank's VPN did not require multi-factor authentication for the affected contractor account. The stolen username + password was sufficient. The attacker:

• Logged into the VPN on 23 August 2022.
• Established persistence and conducted internal reconnaissance over the next seven weeks.
• Exfiltrated approximately 200 GB of data in the days leading up to 12 October, including full health-claim records, Medicare numbers, addresses, dates of birth, and detailed medical histories.

Medibank detected anomalous activity on 13 October and engaged incident response. The intrusion was contained within days, but the data had already left.

Refusal to pay, then leaks

The attackers initially demanded $9.7 million in bitcoin — a deliberately symbolic "$1 per affected customer" framing intended to maximise public pressure.

Medibank's CEO David Koczkar publicly announced on 7 November 2022 that the company would not pay, citing Australian government guidance that paying ransoms funds further criminal activity and provides no guarantee of data deletion. Australia's Prime Minister and Home Affairs Minister publicly supported the refusal.

The attackers responded by releasing the data in tranches on a dark-web forum:

• 9 November: a "good-list" of customers with mainstream health histories.
• 10 November: a "naughty-list" categorising customers by perceived sensitivity — including abortion records, drug and alcohol treatment, mental health histories, HIV status. The selective release was a clear attempt to maximise reputational harm.
• 17 November to 1 December: full database dumps, including the most sensitive medical categorisation.

The data remains in circulation on the dark web. Australian government guidance to affected customers acknowledged that the data could never be fully recovered or contained.

Government response

The Australian response set significant precedents:

• First Australian cyber sanctions in January 2023 against Aleksandr Ermakov, a Russian national identified by Australian intelligence as a participant in the Medibank attack. The sanction was issued under Australia's Autonomous Sanctions Act and aligned with U.K. and U.S. sanctions on Ermakov for separate ransomware activity.
• Mandatory ransomware reporting: subsequent legislation introduced mandatory reporting requirements for ransomware payments and incidents by larger organisations.
• Critical infrastructure expansion: Medibank's classification under the SOCI Act (Security of Critical Infrastructure) was clarified to include large healthcare operators.

Impact

• 9.7 million customers had medical history data exposed permanently.
• Direct remediation, customer support, and legal costs: ~$80 million.
• Estimated business impact (subscriber churn, brand damage): $150M+.
• Civil penalty proceedings filed by the Australian Information Commissioner in June 2024 remain open; the maximum penalty available is the greater of AUD $50M, 30% of turnover, or three times benefit obtained — reformed limits passed in response to Medibank itself.

Why it matters

Medibank is the canonical case for ransomware against a healthcare operator that refused to pay and accepted the leak as a cost. It established:

• That government and industry alignment behind refusal is achievable at the national level, given political support.
• That selective categorisation of leaked data (the "naughty-list" tactic) is now an established pressure technique — attackers no longer just publish; they curate the publication for maximum harm.
• That infostealer-harvested credentials + no-MFA VPN access is a primary entry vector for healthcare ransomware. Medibank's post-incident remediation included MFA on every external-facing system as the headline change.
• That breach data is permanent — once it's on the dark web, no policy intervention recovers it. Medibank's customers will continue to face downstream identity and insurance-fraud risk for years.