REvil attacks Medibank

Incident Date:

November 9, 2022

World map



REvil attacks Medibank






Melbourne, Australia

Victoria, Australia

First Reported

November 9, 2022

The REvil Ransomware Gang's Attack on Medibank

The REvil ransomware gang has attacked Medibank. Medibank is one of the largest Australian private health insurance providers, covering over 3 million people and boasting nearly 4000 employees. The health insurance organization refused to meet REvil’s ransom demands, resulting in the ransomware gang publishing 200GB of stolen data in a 5GB compressed file to their data leak site.

A Medibank spokesperson said in a statement: “While our investigation continues there are currently no signs that financial or banking data has been taken, and the personal data stolen, in itself, is not sufficient to enable identify and financial fraud. The raw data we have analysed today so far is incomplete and hard to understand.”

REvil's Background and Tactics

REvil, who first emerged in 2019, is assessed to be the successor of the defunct criminal gang GandCrab and to be responsible for some of the biggest attacks on record, including the supply-chain ransomware attack against Kaseya and meatpacker JBS. REvil is also assessed to be connected to the now-defunct DarkSide group that disrupted energy giant Colonial Pipeline.

REvil invested a lot into the development and improvement of the platform and is known to use several security tool evasion techniques, such as leveraging the anti-rootkit tool GMER to disable security software as well as hard-coded checks to assure the target is not located in a Russian-aligned Commonwealth of Independent States (CIS) country.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.