Australia has taken a significant step by publicly identifying and imposing cyber sanctions on a Russian hacker, marking the country’s inaugural use of such penalties. The individual in question, Aleksandr Ermakov, 33, is alleged to have played a crucial role in a 2022 ransomware attack that targeted Medibank, one of Australia’s major private health insurers.
The cyberattack resulted in the theft of sensitive personal data from 9.7 million Medibank customers, including names, dates of birth, medical information, and Medicare numbers. Australian authorities disclosed that some of these records were subsequently published on the dark web.
Initially, the Australian Federal Police refrained from revealing the identity of the attackers, citing an ongoing investigation. However, on Tuesday, the Australian government disclosed that Aleksandr Ermakov, identified as a member of the Russian ransomware gang REvil, is subject to the imposed sanctions.
The sanctions criminalize the provision of assets to Ermakov, along with the use or handling of his assets, including through cryptocurrency wallets or ransomware payments. Offenders may face up to 10 years’ imprisonment, and a travel ban has been imposed on Ermakov.
Deputy Prime Minister and Defense Minister Richard Marles stated that Australian authorities collaborated extensively over the past 18 months to unveil those responsible for the cyberattack on Medibank Private. The investigation involved cooperation between various entities, including the Australian Signals Directorate, the Australian Federal Police, the FBI, NSA in the United States, the United Kingdom’s cyber agency GCHQ, and companies such as Microsoft and Medibank.
The cyberattack on Medibank was suspected to be linked to REvil, a Russian cyber-criminal syndicate known for large-scale attacks globally. The group had previously targeted entities in the United States, including the notable 2021 attack on JBS Foods, which resulted in an $11 million ransom payment.
Australia’s move to publicly name Ermakov is expected to impact his criminal activities, given that cyber criminals often operate in anonymity. The announcement exposes his identity to global agencies and individuals, significantly affecting his ability to collaborate or conduct illicit activities.
While the investigation continues, Marles emphasized that the stolen data not only affected Australian customers but also 1.8 million international customers. Despite an initial ransom demand of $10 million, which was later lowered to $9.7 million, Medibank refused to pay. Australian authorities have consistently discouraged the payment of ransoms, highlighting the lack of guarantees for data recovery and the increased risk it poses to the country as a target for future cyberattacks.