Medibank, one of Australia’s largest private health insurers, suffered a devastating **ransomware attack in 2022**, orchestrated by cybercriminals linked to **Aleksandr Ermakov**—a key figure sanctioned in the recent bulletproof hosting crackdown. The breach resulted in the **theft of sensitive personal and health data of 9.7 million current and former customers**, including names, addresses, dates of birth, Medicare numbers, and even **highly sensitive health claims data** (e.g., mental health, drug addiction, and abortion records). The attackers, affiliated with the **REvil ransomware group**, initially demanded a ransom, but Medibank refused to pay, leading to the **public dump of stolen data on the dark web**. The fallout was catastrophic: **class-action lawsuits**, regulatory investigations, and **irreparable reputational damage**. Customers faced **identity theft risks, blackmail attempts, and fraudulent activities** tied to their exposed data. The financial toll exceeded **$35–50 million AUD** in direct costs, including **remediation, legal fees, and customer compensation**, while the **long-term erosion of trust** led to **customer churn and market share decline**. The attack also triggered **government scrutiny over cybersecurity failures**, with Medibank’s CEO later stepping down. The incident remains one of Australia’s **worst data breaches**, exemplifying how ransomware-as-a-service (RaaS) ecosystems, enabled by bulletproof hosting, can cripple critical infrastructure.
Medibank cybersecurity rating report: https://www.rankiteo.com/company/medibank
"id": "MED2232322112125",
"linkid": "medibank",
"type": "Ransomware",
"date": "6/2022",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': ['Ransomware gangs',
'Phishing operators',
'Malware C2 server hosts'],
'industry': 'Cybercrime Infrastructure',
'name': 'PVServers (DataImpulse)',
'type': 'Hosting Provider'},
{'customers_affected': ['Ransomware groups',
'Threat actors requiring '
'resilient infrastructure'],
'industry': 'Cybercrime Infrastructure',
'name': 'LumoHost',
'type': 'Hosting Provider'},
{'industry': 'Cybercrime Enablement',
'location': 'Russia',
'name': 'Aleksandr Ermakov',
'type': 'Individual'},
{'industry': 'Cybercrime Enablement',
'location': 'Russia',
'name': 'Aleksandr Rakitin',
'type': 'Individual'}],
'attack_vector': ['Bulletproof Hosting (BPH)',
'Malicious Infrastructure Provisioning'],
'description': 'The governments of the United States, United Kingdom, and '
'Australia imposed joint sanctions against individuals and '
'entities (Aleksandr Ermakov, Aleksandr Rakitin, '
'PVServers/DataImpulse, and LumoHost) involved in providing '
'bulletproof hosting (BPH) services. These services were used '
'by ransomware gangs and other threat actors to ignore abuse '
'complaints, law enforcement takedown requests, and legal '
'inquiries, enabling global cybercriminal activity. The '
'sanctions include asset freezes, travel bans, and '
'prohibitions on business transactions with the listed '
'entities, targeting the infrastructure layer of the '
'ransomware economy to disrupt operations before payload '
'delivery.',
'impact': {'brand_reputation_impact': ['Diplomatic message against cybercrime '
'enablers',
'Deterrence for infrastructure '
'providers'],
'legal_liabilities': ['Asset freezes',
'Travel bans',
'Prohibitions on business transactions',
'Secondary penalties for non-compliance'],
'operational_impact': ['Disruption of ransomware supply chain',
'Increased operational costs for '
'cybercriminals',
'Risk of secondary penalties for entities '
'transacting with sanctioned parties']},
'initial_access_broker': {'entry_point': ['Bulletproof hosting services '
'(PVServers, LumoHost)'],
'high_value_targets': ['Ransomware groups',
'Phishing operators',
'Malware C2 servers']},
'investigation_status': 'Ongoing (sanctions imposed; monitoring for '
'compliance and rebranding attempts)',
'lessons_learned': ['Targeting cybercrime infrastructure (e.g., bulletproof '
'hosting) can disrupt ransomware operations at the supply '
'chain level.',
'International collaboration is critical for effective '
'enforcement against globally distributed threat actors.',
'Bulletproof hosting providers frequently rebrand and '
'change jurisdictions to evade scrutiny, requiring '
'persistent monitoring.',
'Sanctions against enablers (not just direct attackers) '
'increase operational risks for cybercriminals and deter '
'infrastructure providers.'],
'motivation': ['Financial Gain',
'Facilitation of Cybercrime',
'Infrastructure-as-a-Service for Ransomware'],
'post_incident_analysis': {'corrective_actions': ['Expand sanctions to cover '
'the full ransomware supply '
'chain (infrastructure, '
'access brokers, '
'monetization).',
'Strengthen international '
'frameworks for sharing '
'threat intelligence and '
'enforcement actions.',
'Develop technological '
'tools to track '
'infrastructure reuse and '
'attribute malicious '
'activity.',
'Impose stricter regulatory '
'requirements on hosting '
'providers to prevent '
'abuse.'],
'root_causes': ['Lack of accountability for '
'cybercrime-enabling '
'infrastructure providers.',
'Jurisdictional challenges in '
'attributing and sanctioning '
'threat actors operating across '
'borders.',
'Rebranding and operational '
'flexibility of bulletproof '
'hosting services to evade law '
'enforcement.']},
'recommendations': ['Enhance cross-border cooperation to track and disrupt '
'bulletproof hosting providers.',
'Implement stricter due diligence for hosting services to '
'prevent abuse by cybercriminals.',
'Encourage domain registrars and infrastructure providers '
'to proactively monitor and report suspicious activity.',
'Expand sanctions to include other layers of the '
'ransomware economy (e.g., access brokers, cryptocurrency '
'mixers).',
'Invest in technological solutions to detect and '
'attribute malicious infrastructure reuse.'],
'references': [{'source': 'U.S. Treasury’s Office of Foreign Assets Control '
'(OFAC)'},
{'source': 'U.K. Foreign, Commonwealth & Development Office'},
{'source': 'Australian Department of Foreign Affairs and '
'Trade'},
{'source': 'Statement by Jaishankar Venkatesan, Director of '
'the U.K. Foreign Sanctions Office'}],
'regulatory_compliance': {'legal_actions': ['Asset freezes',
'Travel bans',
'Business prohibitions'],
'regulations_violated': ['International Sanctions '
'(OFAC, UK FCDO, '
'Australian DFAT)'],
'regulatory_notifications': ['Public sanction lists',
'Secondary penalty '
'warnings for '
'non-compliant '
'entities']},
'response': {'communication_strategy': ['Public attribution of sanctioned '
'entities',
'Diplomatic messaging to encourage '
'global coordination'],
'containment_measures': ['Asset freezes',
'Travel bans',
'Business transaction prohibitions'],
'enhanced_monitoring': ['Persistent monitoring of bulletproof '
'hosting providers',
'Collaboration with infrastructure '
'providers and domain registrars'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['Disruption of bulletproof hosting '
'infrastructure',
'Increased operational costs for '
'ransomware actors'],
'third_party_assistance': ['U.S. Treasury’s Office of Foreign '
'Assets Control (OFAC)',
'U.K. Foreign, Commonwealth & '
'Development Office',
'Australian Department of Foreign '
'Affairs']},
'stakeholder_advisories': ['Organizations are warned against transacting with '
'sanctioned entities to avoid secondary penalties.',
'Infrastructure providers (e.g., hosting services, '
'domain registrars) are advised to enhance abuse '
'detection and reporting mechanisms.',
'Financial institutions are urged to monitor '
'transactions linked to bulletproof hosting '
'operators.'],
'threat_actor': [{'associated_attacks': ['Medibank ransomware attack '
'(Australia)'],
'name': 'Aleksandr Ermakov',
'nationality': 'Russian',
'role': 'Bulletproof Hosting Provider'},
{'name': 'Aleksandr Rakitin',
'nationality': 'Russian',
'role': 'Bulletproof Hosting Operator'},
{'name': 'PVServers (DataImpulse)',
'role': 'Hosting Outfit for Threat Actors',
'type': 'Entity'},
{'name': 'LumoHost',
'operator': 'Aleksandr Rakitin',
'role': 'Ransomware Infrastructure Concealment',
'type': 'Entity'}],
'title': 'Joint Sanctions Imposed on Bulletproof Hosting Providers Enabling '
'Ransomware Operations',
'type': ['Sanction',
'Law Enforcement Action',
'Cybercrime Infrastructure Disruption']}