Russian hacker-linked REvil behind 2022 Australian cyberattack also targeted Hong Kong’s Dairy Farm

It is not clear whether Dairy Farm paid the ransom. Dairy Farm did not respond to a request for comment.

Chinese developers pull back in Australia, New Zealand as property boom ends

The Russian-based ransomware-as-a-service (RaaS) operation REvil, or short for “Ransomware Evil”, was dismantled by Russian authorities in early 2022, following pressures by other governments including the US to force the group offline.

The group hurt many organisations when it executed a ransomware attack on a software package developed by US-based Kaseya in 2021.

In 2021, the group also attacked Australia-based global beef producer JBS and crippled its global supply chains before the company paid US$11 million as ransom.

Unlike JBS, Medicare did not pay a ransom and data hacked from its site was later publicly published in one of the most prominent cyberattacks in Australia. Later that year, another cyberattack rendered Australian telco Optus vulnerable when another 10 million personal records were stolen.

Australia topped the list of ransomware attacks in Asia-Pacific between 2021 and 2022, according to Singapore-based Russian cybersecurity group Group-IB.

The Australian government said exposing Ermakov’s identity would disarm him and his cyberbusiness as such criminals leverage anonymity.

“We have named him for the first time globally, and his identity now being completely plain is on display for every agency around the world, but also anybody who is seeking to operate with him, so this will have a very significant impact on Aleksandr Ermakov,” deputy prime minister Richard Marles said in a press conference on Tuesday.

Canberra has imposed a targeted financial sanction and a travel ban on Ermakov. Dealing with Ermakov or his assets such as cryptocurrency wallets or ransomware payments will be a criminal act punishable by up to 10 years’ imprisonment and heavy fines.

But Canberra acknowledged that targeting Ermakov would not completely abolish future cyber criminal groups as these gangs were “dynamic and have multiple partners”.

Australia, Indonesia take ‘remarkable’ step towards defence pact, says Albanese

“So a disruption of REvil at one point in time doesn’t cease its business,” said Abigail Bradshaw, head of the Australian cybersecurity centre.

Indeed, Group-IB said REvil’s model, which depended on so-called “affiliates” or individuals with ready-to-use kits for ransomware deployment, has allowed it to repeat its crimes despite crackdowns by law enforcement.

“REvil was one of the old-timers of the ransomware industry,” Feixiang He, Adversary Intelligence Research Lead at Group-IB, said.

“[But] as of 2023, without a doubt, the LockBit gang stands out as the most dominant force in the illicit ransomware market.”

According to He, LockBit topped the list of the “most aggressive” ransomware collectives in Asia-Pacific last year, when the gang released information on more than 1000 victims on its Dedicate Leak Site.

01:48

Notorious ex-hacker hired by Vietnam’s cybersecurity agency to teach others on dangers of hacking

Notorious ex-hacker hired by Vietnam’s cybersecurity agency to teach others on dangers of hacking

“Hacktivist” groups, or criminal groups which carry out cyberattacks in support of political causes, such as “Cyber Error System”, “Esteem Restoration Eagle”, and “Team Insane PK” were also on the rise, He said.

Companies need to conduct underground monitoring capabilities as part of their threat intelligence programmes and be able to promptly detect the sale of their credentials or unauthorised access to their networks, according to He.

Group-IB flagged other digital risk trends last year including the rapid breeding of cybercriminal groups on social media or chat groups such as Telegram, and the significant use of cryptocurrency in the cybercriminal world.