The Philippine Health Insurance Corporation (PhilHealth) experienced a Medusa ransomware attack on September 22, 2023, affecting the government's health insurance program. In 2022, there were 65.05 million beneficiaries of PhilHealth that were categorized as direct contributors.
The Department of Information and Communications Technology (DICT) was aware of the attack as early as 9 am and has been actively coordinating with PhilHealth to assess the impact and secure compromised systems.
DICT Undersecretary Jeffrey Ian Dy confirmed the incident and identified the attack as a Medusa ransomware attack, a type of malware that encrypts files and demands a ransom payment for the decryption key.
The Philippines is in the process of joining the Counter Ransomware Initiative (CRI), a global coalition launched in October 2021 by countries including the US, Australia, Canada, the United Kingdom, and the Netherlands, aiming to improve international cooperation on ransomware prevention, detection, response, and recovery.
This attack on PhilHealth is part of a series of escalating cyberattacks targeting government agencies and businesses in the Philippines, emphasizing the importance of fortified cybersecurity measures and international collaboration to combat advanced cyber threats.
PhilHealth paralyzed by Medusa ransomware attack
The Department of Information and Communications Technology (DICT) swiftly responds to secure compromised systems; the Philippine government aligns with the international Counter Ransomware Initiative to fortify defenses against escalating cyber threats
At a glance
The Philippine Health Insurance Corporation (PhilHealth), the government's health insurance program for all Filipinos, was hit by a ransomware attack today, September 22, 2023. In 2022, there were 65.05 million beneficiaries of PhilHealth that were categorized as direct contributors.
Jeffrey Ian Dy, Undersecretary for Connectivity, Cybersecurity, and Upskilling at the Department of Information and Communications Technology (DICT), confirmed the attack, saying the agency was aware of it as early as 9 am. He said that the initial assessment was that it was a Medusa ransomware attack. The Medusa ransomware is a type of malware that encrypts files and demands a ransom payment in exchange for the decryption key.
"We have been coordinating with PhilHealth since this morning. We are assessing the impact at the moment. They are temporarily down sa eGovApp, but there are no indications eGov is affected," Dy said.
Dy also said that as part of a more extensive solution, the Philippines is joining the Counter Ransomware Initiative (CRI) with the US, Australia, and other countries. He said the government has already recommended joining the initiative to the Department of Foreign Affairs.
The ransomware attack on PhilHealth is the latest in a series of cyberattacks targeting government agencies and businesses in the Philippines.
The CRI is a global initiative to combat ransomware. It was launched in October 2021 by the US, Australia, Canada, the United Kingdom, and the Netherlands. The CRI aims to improve cooperation between countries on ransomware prevention, detection, response, and recovery.
The Philippine government's decision to join the CRI is a welcome step. The CRI can provide the Philippines with access to resources and expertise to help the country defend itself against ransomware attacks.
I asked John Patrick Lita, CEO and Founder of SOROS Securities Inc, about the attack and what can companies do to avoid such incidents. "To defend against such attacks, organizations need to put robust security measures in place. These include Endpoint Security, Device Management, Network Security, IDS/IPS, and training to make users aware of potential threats." JP Lita said.
He also added, "If an organization falls victim to ransomware, it needs to activate its incident response plan to ensure proper reporting and escalation to manage the incident effectively. Infected devices or networks should be isolated immediately to stop the ransomware from spreading and infecting other devices. Subsequently, a Compromise Assessment/Root Cause Analysis should be performed to identify the source of the infection and assess other devices for potential signs of the malicious file. After the incident, it’s crucial for the organization to document what happened and enhance its defenses based on the lessons learned."