U.S., U.K., Australia Sanction Russian REvil Hacker Behind Medibank Breach

Governments from Australia, the U.K., and the U.S. have imposed financial sanctions on a Russian national for his alleged role in the 2022 ransomware attack against health insurance provider Medibank.

Alexander Ermakov (aka blade_runner, GistaveDore, GustaveDore, or JimJones), 33, has been tied to the breach of the Medibank network as well as the theft and release of Personally Identifiable Information (PII) belonging to the Australian company.

The ransomware attack, which took place in late October 2022 and attributed to the now-defunct REvil ransomware crew, led to the unauthorized access of approximately 9.7 million of its current and former customers.

The stolen information included names, dates of birth, Medicare numbers, and sensitive medical information, including records on mental health, sexual health and drug use. Some of these records were leaked on the dark web.

As part of the trilateral action, the sanctions make it a criminal offense to provide assets to Ermakov, or to use or deal with his assets, including through cryptocurrency wallets or ransomware payments.

The offense is punishable by up to 10 years’ imprisonment. In addition, the Australian government has also imposed a travel ban on Ermakov.

The U.K. government said the penalty is their latest effort “to counter malicious cybercriminal activity emanating from Russia that seeks to undermine integrity and prosperity” of the country and its allies.

Besides criticizing Russia for providing a safe haven to malicious cyber actors, the U.S. Department of the Treasury called out the East European nation for enabling ransomware attacks by cultivating and co-opting criminal groups.

It further called on Russia to take concrete steps to prevent cyber criminals from freely operating in its jurisdiction.

“Russian cyber actors continue to wage disruptive ransomware attacks against the United States and allied countries, targeting our businesses, including critical infrastructure, to steal sensitive data,” said Under Secretary of the Treasury Brian E. Nelson.

“This action demonstrates that the United States stands with our partners to disrupt ransomware actors who victimize the backbone of our economies and critical infrastructure,” the Treasury Department noted.