The Philippine Health Insurance Corporation (PhilHealth), the government's health insurance program for all Filipinos, was hit by a ransomware attack today, September 22, 2023.  In 2022, there were 65.05 million beneficiaries of PhilHealth that were categorized as direct contributors.

Jeffrey Ian Dy, Undersecretary for Connectivity, Cybersecurity, and Upskilling at the Department of Information and Communications Technology (DICT), confirmed the attack, saying the agency was aware of it as early as 9 am. He said that the initial assessment was that it was a Medusa ransomware attack. The Medusa ransomware is a type of malware that encrypts files and demands a ransom payment in exchange for the decryption key.

"We have been coordinating with PhilHealth since this morning. We are assessing the impact at the moment. They are temporarily down sa eGovApp, but there are no indications eGov is affected," Dy said.

Dy also said that as part of a more extensive solution, the Philippines is joining the Counter Ransomware Initiative (CRI) with the US, Australia, and other countries. He said the government has already recommended joining the initiative to the Department of Foreign Affairs.

The ransomware attack on PhilHealth is the latest in a series of cyberattacks targeting government agencies and businesses in the Philippines.

The CRI is a global initiative to combat ransomware. It was launched in October 2021 by the US, Australia, Canada, the United Kingdom, and the Netherlands. The CRI aims to improve cooperation between countries on ransomware prevention, detection, response, and recovery.

The Philippine government's decision to join the CRI is a welcome step. The CRI can provide the Philippines with access to resources and expertise to help the country defend itself against ransomware attacks.

I asked John Patrick Lita, CEO and Founder of SOROS Securities Inc, about the attack and what can companies do to avoid such incidents. "To defend against such attacks, organizations need to put robust security measures in place. These include Endpoint Security, Device Management, Network Security, IDS/IPS, and training to make users aware of potential threats." JP Lita said.  

He also added, "If an organization falls victim to ransomware, it needs to activate its incident response plan to ensure proper reporting and escalation to manage the incident effectively. Infected devices or networks should be isolated immediately to stop the ransomware from spreading and infecting other devices. Subsequently, a Compromise Assessment/Root Cause Analysis should be performed to identify the source of the infection and assess other devices for potential signs of the malicious file. After the incident, it’s crucial for the organization to document what happened and enhance its defenses based on the lessons learned."