Four more days to go: Medusa hacking group intensifies threats on PhilHealth's data breach

Amidst ongoing rising tensions because of the ransomware attack on the country's health insurance system, cybersecurity experts and the public await the infamous Medusa hacking group's next move as PhilHealth remains unwilling to pay the ransom. Renzon Cruz, Principal DFIR Consultant @ Unit 42 by Palo Alto Networks, told MB Technews that we can expect a severe escalation from Medusa in the form of the publication of sensitive and personally identifiable information (PII) if their demands are not met.

Based on his previous experience with the group. Medusa seems poised to validate its possession of sensitive information by releasing a detailed video. This step contrasts PhilHealth's claims of no PII being compromised. The continual downplay by PhilHealth is aggravating Medusa further, prompting them to potentially expose PII documents publicly.

This is consistent with the findings of John Patrick Lita, Co-Founder and CEO of SOROS Securities Inc., that thousands of PII from PhilHealth are now available on the dark web because of the security breach. Lita did his research on the security posture of PhilHealth using data from the dark web.

As a cybersecurity professional who continuously monitors cybercriminals, Cruz said the hacking group is meticulous, keeping abreast with news, blogs, and articles, and seems to be equipped with a media team responsible for creating and disseminating PR documents like videos and social media posts. This cybercriminals' media team is also observed to collect and report breaches, re-publishing stolen data across platforms and operating under various online identities and handles such as "t0mas" and "Robert Vroofdown" on Breach Forums, Twitter, and other platforms.

The group seems to be operating from a consistent playbook, with Cruz pointing out that similar messages and tactics have been observed in their other cases. Their messages harbor a dual-tone, extending a hand for resolution while simultaneously wielding threats of significant damage to companies and clients' information.

Cruz forecasts that Medusa may release a lengthy video ranging from 30 to 50 minutes in the event of non-compliance from PhilHealth, flaunting a series of PII data and IDs across various social media platforms like X (Twitter), Telegram, and Facebook. Medusa's public relations arm, identified as "OSINT without Borders", seems to be the function of reporting breaches and re-publishing stolen data.

Experts and watchers are now on edge, closely observing the developments and awaiting the potential public release of PhilHealth files by Medusa. The latter's PR team has been known to re-dump files on Telegram and other platforms, giving more reason for concern.

While the situation remains tense and the outcome uncertain, both PhilHealth and the general public brace for the impact of Medusa's next move, with many hoping for a resolution that avoids extensive compromise of sensitive information.