The Philippines’ supposed “weakness” in cybersecurity might have just been exploited—and exposed.
On Friday, September 22, the Philippine Health Insurance Corporation (PhilHealth), the government agency tasked to oversee the implementation of the country’s universal health coverage, fell victim to the Medusa ransomware, a kind of ransomware first observed in September 2019 that can, among other things, delete volume copies and backup, disable recovery mode, and terminate processes.
PhilHealth Data on the Dark Web
According to Art Samaniego, a Philippines-based technology journalist and cybersecurity expert, the group behind the attack has already posted 31 pages of sensitive data on the dark web —names, addresses, contact information, and medical records—exfiltrated from the PhilHealth system. This data, Samaniego explained, contains personal information of PhilHealth members and will be released online by the perpetrators if PhilHealth does not pay up a ransom of USD $300,000—or the equivalent of some Php 16 million.
Jeffrey Ian Dy, the Undersecretary of the Department of Information and Communications Technology (DICT), confirmed the incident and the ransom demand to The STAR, a local media outlet in the Philippines.
“They have already made a demand for USD $300,000 for them to do two things: One is to delete the data that they captured, and two, is so they would give us the key so we can decrypt the data that they encrypted,” Dy said.
The government, though, is not inclined to pay the ransom, according to a security professional working with PhilHealth to recover its data. Instead, PhilHealth, the DICT, and other relevant agencies are now working together to recover said data—and, just as important, find out the cybercriminals behind the attack and bring them to justice.
Medusa Contained, But Concerns Linger
As of posting, the Medusa ransomware has allegedly been contained already, with lateral movement within the PhilHealth system no longer possible.
"The National Computer Emergency Response Team (NCERT) of DICT, our outsourced providers, and PhilHealth are working round the clock to restore the PhilHealth systems. The ransomware has been contained. We don't see the malware moving laterally to other computers in PhilHealth,” Dy pointed out. “Pending other due diligence checks, we can confidently advise PhilHealth to resume online services in the next few days."
Nevertheless, the downtime caused by the attack is disrupting the agency’s capability to render timely and efficient service, while the entirety of the incident is a big blow to PhilHealth’s eroding reputation, which has already taken a hit lately after falling as much as Php 10 billion behind in reimbursements it owes to its partner private hospitals in the Philippines.
In light of the security incident, the DICT has also called upon other government agencies to be more vigilant against the Medusa ransomware and cyber attacks in general. In fact, it has even released a memorandum circular mandating a comprehensive review of Bring-Your-Own-Device and work-from-home policies, which the department deems as significant vulnerabilities.
The PhilHealth attack comes on the heels of a cybersecurity report from Palo Alto Networks identifying the Philippines as one of the ASEAN countries with the highest number of malicious attacks. This prompted Steven Scheurmann, Regional Vice President for ASEAN at Palo Alto Networks, to ask organisations in the Philippines to “update their security capabilities” and continually improve them.
Unfortunately for PhilHealth and its members, it appears the agency’s security capabilities appear to have exploitable loopholes—and these have been duly exploited and exposed.