[Explanation] The Medusa attack on PhilHealth serves as a reminder for government agencies to be more vigilant.

Miguel Hanz L. Antivola, a reporter.

PhilHealth was recently targeted by a ransomware attack carried out by a well-known group of cybercriminals.

PhilHealth discovered the breach on September 22nd and investigations revealed that the Medusa group was responsible.

According to Vladimir Kuskov, the head of anti-malware research at Kaspersky (a Russian cybersecurity company), the perpetrators reportedly gained unauthorized access to PhilHealth’s systems, obtained confidential information, utilized the Medusa trojan to lock files, and requested payment in exchange for decryption keys. Kuskov revealed this information in an interview with BusinessWorld on Thursday, stating that the attackers also threatened to release the sensitive data if their demands were not met.

He stated that the Medusa group’s demand for $300,000 in exchange for not leaking PhilHealth’s data on Tor, an anonymous open-source network, increases the pressure on the victims through this double-extortion strategy.

UNCLEAR MOTIVES

Although the main objective of the attackers seems to be obtaining financial gain by demanding ransom payments, their exact motivations are still unknown.

The reason for this attack, aside from making money, is not certain and could vary from causing chaos to gaining attention, according to Mr. Kuskov.

According to a statement from Kaspersky, the latest versions of ransomware, like Medusa, are commonly distributed through the ransomware-as-a-service model.

This indicates that the hacker groups involved in the attacks give a portion of their ransom money to the creators of the malware.

Length of the Assault

According to DICT Undersecretary Jeffrey Ian C. Dy, the Medusa ransomware has been secretly present in PhilHealth’s systems since June.

According to an interview reported by CNN Philippines, leaked documents and assignments contained private information belonging primarily to employees of PhilHealth rather than its members.

On September 22, Emmanuel R. Ledesma, Jr., the president and CEO of PhilHealth, announced that the company had taken “containment measures.” These measures required the temporary closure of their systems while they conducted an investigation with the DICT and NPC.

After becoming aware of the security breach, the National Computer Emergency Response Team took action by disconnecting workstations from the network, working with PhilHealth to assess the scope of the attack, and gathering logs for comprehensive examination, as stated in a press release by the DICT on September 28.

The organization stated that as of September 25, only their IP addresses can be used to access PhilHealth’s critical web services. Currently, they are conducting a thorough security scan.

Efforts are being made to restore the functionality of PhilHealth’s DNS server, according to the statement.

According to Circular No. 2016-03 from the commission, PhilHealth was required to submit a comprehensive notification report to the NPC by Sept. 27, which was five days after the data breach occurred.

The National Privacy Commission (NPC) has directed PhilHealth to attend a hearing and undergo an onsite investigation to assess the consequences of the breach. According to a press statement released on Sept. 25, the NPC’s main priority is to safeguard the rights of the affected beneficiaries and contributors.

CYBERSECURITY RECOMMENDATIONS

According to Mr. Kuskov, the expert on malicious software, the recent event highlights the importance of taking proactive steps to protect sensitive information from online risks. This serves as a reminder for organizations to stay alert and prioritize cybersecurity measures while containment and investigations are in progress.

According to him, any company can improve its cybersecurity by reducing the risk of remote desktop services, implementing strong passwords, and regularly updating software to prevent potential weaknesses that could be targeted by ransomware attackers.

He stated that it is essential to focus on identifying sideways movements and removing data, regularly backing up data, and using up-to-date threat intelligence.

A thorough and proactive strategy that combines advanced security measures and ongoing employee education is crucial in protecting sensitive information and maintaining the public’s confidence in the face of ever-changing threats.

He suggested improving infrastructure, promoting partnerships for sharing intelligence, and revising policies to match the changing cyber threat environment.

He suggested that government agencies should implement a cyberimmunity strategy to ensure that their systems have built-in resilience against threats.