ACTIVITY #3

MEDUSA
RANSOMWARE
September 2023

Donato, Kenneth Hans

Edubas, Joshua
Ogot, Shaira Beatrice
 INTRODUCTION

 In September 2023, the Philippine Health Insurance Corporation (PhilHealth) was hit
by a cyber attack using the Medusa ransomware. The hackers demanded a ransom of
$300,000 or roughly ₱17 million from the government in exchange for the decryption
keys to access the data again, deleting the data that they obtained and not publishing
these to the public, and giving the Department of Information and Communications
Technology (DICT) the copy of the data which is in their possession. The DICT said
that it is working with PhilHealth and its outsourced cybersecurity vendors to
complete the "clean up" of the system. Despite the cyber attack, PhilHealth has settled
over P45 billion worth of claims by its partner health facilities last year. However,
PhilHealth is currently grappling with criticism due to recurring data breaches,
compromising the personal information of its members and raising substantial
concerns regarding its cybersecurity protocols. Another data leak was reported
recently, but it was caused by bugs or coding errors, not cyber hackers.
 INCIDENT TIMELINE
 September 22, 2023 – The Philippine Health Insurance Corporation (PhilHealth) experienced a
Medusa ransomware attack. The Department of Information and Communications Technology (DICT)
was aware of the attack as early as 9 am and has been actively coordinating with PhilHealth to assess
the impact and secure compromised systems. The group behind the data breach asked for a $300,000
ransom, or else it would release valuable PhilHealth data on the dark web.

 September 25, 2023 – Hackers demanded $300,000 or roughly ₱17 million from the government after
the database of state insurer PhilHealth was hacked through the Medusa ransomware. The DICT said
that the ransom is in exchange for three things, namely: to hand over the decryption keys so the data
can be accessed again; to delete the data that they obtained and not publish these to the public; and to
give DICT the copy of the data which is in their possession. DICT said it is working with PhilHealth and
its outsourced cybersecurity vendors to complete the "clean up" of the system, adding the most urgent
task is to reactivate PhilHealth's online services, as the health insurer was forced to undergo over-the-
counter processing since Sunday.

 September 27, 2023 – PhilHealth announced that it is working to restore its systems by Monday,
September 25, 2023, after being hit by the Medusa ransomware, with the hackers demanding a
$300,000 ransom for the stolen data. Affected systems shall be restored at the soonest possible time
after the completion of the needed configuration and reinforcement of existing information security
measures. The group behind the data breach asked for a $300,000 ransom, or else it would release
valuable PhilHealth data on the dark web.
 ATTACK DETAILS
 A news article from Rappler, the Medusa ransomware was used in the cyber attack on
PhilHealth. The specific variant of the Medusa ransomware used in the attack is not
mentioned in the article. However, the article mentions that there are several groups in
the ransomware and malware space that identify themselves as Medusa. One group
documented by cybersecurity firm Trend Micro, the “MedusaLocker” group and
ransomware were first seen in September 2019, targeting Windows machines, with the
infecting software usually arriving through spam emails and phishing websites. Like
most ransomware, it is capable of file encryption and disabling usage capability.

It is currently unclear how the attackers gained access to PhilHealth's systems.
However, according to an article from Esquire Philippines, the PhilHealth website and
online application portal were attacked on September 22, 2023, which led to the insurer
conducting services and transactions offline for a few days. The group behind the data
breach asked for a $300,000 ransom, or else it would release valuable PhilHealth data
on the dark web. The article from BusinessWorld Online mentions that the attackers
allegedly infiltrated PhilHealth’s systems, stole sensitive data, used the Medusa trojan to
encrypt files, and demanded a ransom for decryption keys, threatening to leak sensitive
data if not paid.
 IMPACT ASSESMENT
 The Medusa ransomware attack  According to an article from  It is unclear whether PhilHealth
on PhilHealth in September Manila Bulletin, in 2022, there paid the ransom or not.
2023 had a significant impact on were 65.05 million beneficiaries However, the DICT said that
the organization. The attack of PhilHealth that were authorities have gathered
disrupted the business categorized as direct evidence against the cyber
operations of PhilHealth, forcing contributors. Despite the cyber attackers and are working with
the insurer to conduct services attack, PhilHealth has settled law enforcement agencies to
and transactions offline for a few over P45 billion worth of claims apprehend the culprits.
days. The attack also by its partner health facilities
compromised the personal last year. However, the attack
information of PhilHealth's has caused reputational damage The impact of the attack on
members, raising substantial to PhilHealth, which is currently PhilHealth's financials is not
concerns regarding its grappling with criticism due to available in the sources I have
cybersecurity protocols. The recurring data breaches. access to. However, the attack
group behind the data breach highlights the importance of
asked for a $300,000 ransom, or robust cybersecurity measures
else it would release valuable and international collaboration to
PhilHealth data on the dark web. combat advanced cyber threats.
 RESPONSE AND MITIGATION
 According to an article from Manila Bulletin, the Department of Information and
Communications Technology (DICT) was aware of the attack as early as 9 am on
September 22, 2023, and has been actively coordinating with PhilHealth to assess the
impact and secure compromised systems. The DICT swiftly responded to secure
compromised systems, and the Philippine government aligned with the international
Counter Ransomware Initiative to fortify defenses against escalating cyber threats.

 It is unclear whether PhilHealth paid the ransom or not. However, the DICT said that
authorities have gathered evidence against the cyber attackers and are working with
law enforcement agencies to apprehend the culprits.

 According to an article from Esquire Philippines, PhilHealth conducted services and

transactions offline for a few days after the attack. The DICT said that it is working
with PhilHealth and its outsourced cybersecurity vendors to complete the "clean up" of
the system. The most urgent task is to reactivate PhilHealth's online services, as the
health insurer was forced to undergo over-the-counter processing since Sunday.
 LESSONS LEARNED
 The Medusa ransomware attack on PhilHealth in September
2023 highlights the importance of robust cybersecurity measures
and international collaboration to combat advanced cyber
threats. PhilHealth needs to invest in advanced cybersecurity
technologies, such as firewalls, intrusion detection systems, and
antivirus software, to protect its systems from cyber threats.
PhilHealth needs to develop and implement an incident response
plan to respond to cyber attacks effectively. The plan should
include procedures for detecting, containing, and remediating
cyber attacks, as well as communication protocols for notifying
stakeholders about the attack. PhilHealth needs to train its
employees on cybersecurity best practices to prevent future
attacks. PhilHealth needs to ensure that it complies with all
relevant regulatory requirements related to cybersecurity.
Compliance with regulations such as the Data Privacy Act of
2012 can help prevent data breaches and protect its data.
 RECOMMENDATIONS
 Robust cybersecurity measures:
Organizations should invest in
advanced cybersecurity technologies,
such as firewalls, intrusion detection
systems, and antivirus software, to
protect their systems from cyber
threats.
 Incident response procedures –
Organizations should develop and
implement an incident response plan
to respond to cyber attacks
effectively. The plan should include
procedures for detecting, containing,
and remediating cyber attacks, as
well as communication protocols for
notifying stakeholders about the
attack.
 Employee training – Organizations
should train their employees on
cybersecurity best practices to
prevent future attacks. The training
should include topics such as
password management, phishing
awareness, and social engineering.
 Regulatory compliance – prohibiting the use of illegal software
Organizations should ensure that
they comply with all relevant
regulatory requirements related to
cybersecurity. Compliance with
regulations such as the Data Privacy
Act of 2012 can help prevent data
breaches and protect the personal
information of the organization's
members.
 Guidelines – Organizations should
follow the guidelines issued by the
Department of Information and
Communications Technology (DICT)
to protect their data against the
Medusa ransomware. The guidelines
include backing up files, systems,
processes, and other digital assets;
and unlicensed programs, especially
those downloaded from the internet,
in all government offices; and
regularly monitoring the
organization's attack surface and
conducting a port inventory of
various systems.
 CONCLUSIONS
 The Medusa ransomware attack on PhilHealth in September 2023 highlights the importance of robust
cybersecurity measures and international collaboration to combat advanced cyber threats. The attack
disrupted the business operations of PhilHealth, compromising the personal information of its members
and raising substantial concerns regarding its cybersecurity protocols. The group behind the data breach
asked for a $300,000 ransom, or else it would release valuable PhilHealth data on the dark web. It is
unclear whether PhilHealth paid the ransom or not. However, the DICT said that authorities have
gathered evidence against the cyber attackers and are working with law enforcement agencies to
apprehend the culprits.
 Based on the lessons learned from the attack, organizations should invest in advanced cybersecurity
technologies, develop and implement an incident response plan, train their employees on cybersecurity
best practices, ensure regulatory compliance, and follow the guidelines issued by the Department of
Information and Communications Technology (DICT) to protect their data against the Medusa
ransomware. By implementing these recommendations, organizations can improve their cybersecurity
posture and prevent future cyber attacks.
 The ongoing evolution of the threat landscape necessitates proactive cybersecurity measures to protect
organizations from advanced cyber threats. Organizations need to stay vigilant and adapt to the changing
threat landscape to ensure the security of their digital assets.
 REFERENCES
 MSN Philippines. (2023, September 22). PhilHealth hit by cyber attack.
https://www.msn.com/en-ph/news/national/philhealth-hit-by-cyber-attack/ar-AA10zJjV
 Esquire Philippines. (2023, September 23). PhilHealth website and online application portal
attacked.
https://www.esquiremag.ph/politics/news/philhealth-website-attacked-a00293-20230923
 BusinessWorldOnline. (2023, September 23). PhilHealth hit by ransomware attack.
https://www.bworldonline.com/philhealth-hit-by-ransomware-attack/
 Rappler. (2023, September 25). PhilHealth hit by ransomware attack.
https://www.rappler.com/nation/philhealth-hit-by-ransomware-attack
 Manila Bulletin. (2023, September 25). PhilHealth hit by ransomware attack.
https://mb.com.ph/2023/09/25/philhealth-hit-by-ransomware-attack/
 ABS-CBN News. (2023, September 22). PhilHealth hit by cyber attack.
https://news.abs-cbn.com/news/09/22/23/philhealth-hit-by-cyber-attack