The Philippine Health Insurance Corporation (PhilHealth), a government agency providing medical assistance to Filipinos is currently investigating a ransomware attack on its servers, with the hackers demanding a U$300,000 (S$409,799) ransom for the stolen data.
The agency’s systems were attacked by Medusa ransomware, as confirmed by the Philippines Department of Information and Communications Technology (DICT).
The hackers have made the PhilHealth data available online for US $300,000 ransom, showing more than 31 pages of sample files in the Medusa blog.
Medusa ransomware is a type of malware that encrypts files and demands a ransom payment for the decryption key. It is distributed by exploiting publicly exposed Remote Desktop Protocol (RDP) servers either through brute force attacks, phishing campaigns, or exploitation of existing vulnerabilities.
Once inside the network, the Medusa ransomware will then move laterally on the network to infect other machines via Server Message Block (SMB) or by exploiting the Windows Management Instrumentation (WMI), DICT said.
PhilHealth said it started investigating the incident together with the relevant government agencies “to assess its extent" soon after the detection on early Friday, September 22.
Speaking to ONE News, DICT's Undersecretary Jeffrey Dy said that the Medusa ransomware group, responsible for breaching PhilHealth's system, has obtained “random bits of data” and the agency’s systems are currently inaccessible for security purposes. He further denied any intentions to pay the ransom.
Dy added that DICT is working along with other government agencies including the National Privacy Commission (NPC), the cybercrime units of the National Bureau of Investigation (NBI) and the Philippine National Police (PNP) to help in the organisation's recovery.
PhilHealth’s systems including its website, Health Care Institution (HCI) member portal, and e-claims are currently disabled or unplugged as part of security containment measures.
“Affected systems shall be restored at the soonest possible time after the completion of the needed configuration and reinforcement of existing information security measures,” PhilHealth said in a Facebook post.
No data leak
PhilHealth said the personal and medical information of its members was not compromised in the incident. It has laid out temporary procedures for members to file benefits and submit contributions, while it hopes for recovery by Monday, September 25.
"Employers may submit their reports once the Electronic Premium Remittance System (EPRS) has been restored," it said.
The DICT has issued an advisory for government agencies to review policies regarding employees bringing their own devices to offices, and the access management policies on work-from-home arrangements due to the Medusa ransomware.
It called for regular monitoring of the organisation's attack surface and conduct of port inventory, backing up files, systems, processes, and other digital assets, and implementing a security information and event management system.
It also recommended implementing account lockout policies, and a recovery plan that maintains multiple copies of sensitive or proprietary data and servers in physically separate, segmented, and secure locations.
