Financial sanctions were applied this week by authorities in Australia, the United Kingdom and the United States against a Russian man accused of stealing data from nearly 10 million customers of Australian health insurance giant Medibank. 33-year-old Aleksandr Ermakov is allegedly responsible for the theft and leakage of the Medibank data while working with a notorious Russian ransomware group. Despite limited information available about the accused, the official documents released by the Australian government included numerous photos of Mr. Ermakov, indicating a strong determination to hold him accountable.
Aleksandr Ermakov, 33, of Russia. Image: Australian Department of Foreign Affairs and Trade.
The allegations against Ermakov have marked the first time Australia has sanctioned a cybercriminal. The breach at Medibank in October 2022 resulted in the theft of 9.7 million records of current and former customers, including highly sensitive health records. The U.S. government has linked Ermakov and other actors to the infamous Russia-backed cybercrime gang REvil. This ransomware group has been involved in a significant number of attacks globally, with large sums of ransom payments demanded and paid.
It has been revealed that Ermakov operated under various aliases on Russian cybercrime forums, such as GustaveDore, JimJones, and Blade Runner. Investigation by Intel 471 uncovered that GustaveDore was associated with a ransomware affiliate program called Sugar, which targeted individual computers and end-users rather than corporations.
An ad for the ransomware-as-a-service program Sugar posted by GustaveDore warns readers against sharing information with security researchers, law enforcement, or “friends of Krebs.”
Further evidence connects Ermakov to REvil, linking him with the publication of stolen Medibank data on a blog previously controlled by REvil affiliates. Although REvil had been largely disrupted by law enforcement, Ermakov’s group apparently continued its activities even as the REvil group broke apart. The sanctions against Ermakov serve as a warning and will likely complicate his criminal activities, as the implication of his association with REvil and access to a large amount of cryptocurrency puts him at risk in a highly volatile criminal environment.