The State of

Ransomware in the
Philippines: A Report on
the Recent Attacks on
Phil-Data and PhilHealth

September 2023
The State of Ransomware in the Philippines: A Report on the Recent Attacks on Phil-Data and PhilHealth / September 2023

TABLE OF CONTENTS
Contents
Executive Summary.............................................................................................................................. 3
PhilHealth – Ransomware Medusa ....................................................................................................... 4
Phil-Data – Ransomware ALPHV ......................................................................................................... 9
Conclusion ........................................................................................................................................ 14
Recommendations.............................................................................................................................. 14
Indicators of Compromise ................................................................................................................... 15
CONTACT US .................................................................................................................................... 19

Confidential | Cyberint Copyright © All Rights Reserved 2023 2

 The State of Ransomware in the Philippines: A Report on the Recent Attacks on Phil-Data and PhilHealth / September 2023

Executive Summary
In recent years, the global cybersecurity landscape has witnessed an alarming surge in ransomware
attacks, with companies and organizations of all sizes and sectors falling victim to these malicious
campaigns. As a nation reliant on critical healthcare and data management institutions, the Philippines
has not been immune to this growing threat. This industry expert report delves into two significant
ransomware attacks recently targeting Philippine institutions - PhilHealth and Phil-Data.

This report aims to analyze the ransomware attacks on PhilHealth and Phil-Data comprehensively. It
delves into the intricacies of these incidents, exploring the tactics, techniques, and procedures (TTPs)
employed by threat actors, the impact on the affected organizations, and the subsequent responses
taken to mitigate and recover from the attacks. Moreover, this report offers valuable insights and
recommendations for bolstering cybersecurity resilience in the face of the evolving ransomware threat
landscape.

The analysis contained herein results from extensive research, a review of publicly available information,
and an examination of the cybersecurity measures in place at the time of the attacks.

Confidential | Cyberint Copyright © All Rights Reserved 2023 3

The State of Ransomware in the Philippines: A Report on the Recent Attacks on Phil-Data and PhilHealth / September 2023

PhilHealth – Ransomware Medusa

On September 22, 2023, the Philippine Health Insurance Corporation (PhilHealth) was hit by a
ransomware attack. The attack was caused by the Medusa Ransomware Group, which is a Threat
Group focused on file encryption and extortion.

The attack had a significant impact on PhilHealth's operations. Many of its systems were taken
down, including its website, eGovApp, and claims processing system. This caused delays and
disruptions in delivering healthcare services to millions of Filipinos.

PhilHealth Posted as Victim on Medusa Ransomware Blog Site

As observed on their leak site, the Medusa Ransomware Threat Group has put an 8-day deadline
for PhilHealth to pay the ransom demand should they decide to do so. The group mentioned the
state-owned company to have communicated with them via its TOR Channel but has not
answered the demanded payment.

Confidential | Cyberint Copyright © All Rights Reserved 2023 4

The State of Ransomware in the Philippines: A Report on the Recent Attacks on Phil-Data and PhilHealth / September 2023

Cyberint has been able to obtain stolen files from the attack at PhilHealth, which is also posted
on the leak site of Ransomware Medusa.

Source: Medusa Blog

Based on our analysis on the currently leaked files, the data that was stolen from PhilHealth are
the following:

• PhilHealth Employee Data (Employee Position, Name, Address, Birthdate, Date Hired,
Salary, Location)

• PhilHealth Customer Data (Customer Name, Address, Birthdate, Scanned IDs, Customer
Insurance Claims)

• PhilHealth Legal Documents (Court Cases/Files, Contracts)

The leaked files for the attack on PhilHealth are merely sample files, and we expect that the
threat group might have gathered more sensitive data on the institution. The currently leaked
files show very critical data, such as PhilHealth Customer Data, which shows the PII of the
PhilHealth Beneficiaries. The sample leak also contains Scanned IDs and Documents that show
legal proceedings against some if its customers.

Confidential | Cyberint Copyright © All Rights Reserved 2023 5

The State of Ransomware in the Philippines: A Report on the Recent Attacks on Phil-Data and PhilHealth / September 2023

Source: Medusa Blog

Ransomware Medusa – Attack Flow

The Ransomware Medusa upon execution, traverses each folder on the machine to encrypt files via
AES-256 + RSA-2048 encryption. It appends the extension “.MEDUSA” to files that are encrypted.

Ransomware Note and MEDUSA Encrypted Files

Confidential | Cyberint Copyright © All Rights Reserved 2023 6

The State of Ransomware in the Philippines: A Report on the Recent Attacks on Phil-Data and PhilHealth / September 2023

The binary upon execution is remotely controlled by the Threat Group to configure how files will be
encrypted on the device. The commands that are accepted by the Ransomware Binary is as follows:

Command Functionality

-V Get version

-d Do not delete self

-f Exclude system folder

-i In path

-k Key file path

-n Use network

-p Do not preprocess (preprocess = kill services

and shadow copies)

-s Exclude system drive

-t Note file path

-v Show console window

-w Initial run PowerShell path (powershell -

executionpolicy bypass -File %s)

By default execution, the Medusa Ransomware Binary will terminate over 280 Windows services
and processes for programs that may prevent files from being encrypted. These include Windows
services for mail servers, database servers, backup servers, and security software.

Afterwards, the Ransomware will delete Windows Shadow Volume Copies to prevent them from
being used to recover files.

• deletes shadow volume copies

• vssadmin Delete Shadows /all /quiet

• vssadmin resize shadowstorage /for=%s /on=%s /maxsize=unbounded

Confidential | Cyberint Copyright © All Rights Reserved 2023 7

The State of Ransomware in the Philippines: A Report on the Recent Attacks on Phil-Data and PhilHealth / September 2023

When encrypting files, the ransomware will append the “.MEDUSA” extension to encrypted file
names, and in each folder, the ransomware will create a ransom note named
!!!READ_ME_MEDUSA!!!.txt that contains information about what happened to the victim's files.

The ransom note will also include extension contact information, including a Tor data leak site, a Tor
negotiation site, a Telegram channel, a Tox ID, and the key.medusa.serviceteam@protonmail.com
email address.

Ransomware Note

Confidential | Cyberint Copyright © All Rights Reserved 2023 8

The State of Ransomware in the Philippines: A Report on the Recent Attacks on Phil-Data and PhilHealth / September 2023

Phil-Data – Ransomware ALPHV

Yesterday, Phil-Data was also hit by Ransomware Group ALPHV. As per checking on their leak site,
it is observed that the Threat Group has posted several confidential data of Phil-Data Customers.

Phil-Data Posted on Ransomware ALPHV Leak Site

As shown in the screenshot above, the leaked files from Phil-Data contained the following:

• Customer Data (Name, Address, Nationality, Birthday, IDs, Income Tax Data, TIN)

• Customer Data (SEC Registration, Stocks Data, Company Address, Name of Shareholders
and Board Members, Company Contracts, Audit Reports, Customer’s Company Receipts,
Client’s Company Executive’s Email Addresses and Position)

Confidential | Cyberint Copyright © All Rights Reserved 2023 9

The State of Ransomware in the Philippines: A Report on the Recent Attacks on Phil-Data and PhilHealth / September 2023

Further analysis on the leaked files for Phil-Data, since the victim is one of the biggest managed
service providers in the Philippines, shows that most of the exposed data are from the company’s
clients and customers.

Phil-Data Leaked File Sample

It also shows how critical the stolen data is as some of the customer files contain sensitive PII from
Phil-Data’s client as shown on the screenshot below which displays the Name, Position, and the TIN
of the executives of the client company.

Phil-Data Leaked File Sample – Client Company Executives Data

Confidential | Cyberint Copyright © All Rights Reserved 2023 10

The State of Ransomware in the Philippines: A Report on the Recent Attacks on Phil-Data and PhilHealth / September 2023

Some leaked files also contained scanned copies from Phil-Data that is issued to its customers. The
leak also contained Stocks Data from its customers as shown in the screenshot below.

Phil-Data Leaked File Sample – Client Stock Data

Confidential | Cyberint Copyright © All Rights Reserved 2023 11

The State of Ransomware in the Philippines: A Report on the Recent Attacks on Phil-Data and PhilHealth / September 2023

Ransomware ALPHV – Attack Flow

Upon execution of the Ransomware Binary, the executable can be run using different arguments.

List of Commands that the Binary Accepts

As shown above, this is very similar to the Ransomware Medusa which also accepts arguments and
commands to enable the Threat Actor/Group to perform remote command execution to the victim’s
device.

Further execution, the ransomware will generate the ransomware note for further usage and prepare
the image file that it will use to replace the desktop background of the infected user which is the
ransomware note itself.

Generation of the Ransomware Note

After this, the Ransomware prepares itself to escalate privileges by creating a new thread to bypass
UAC, which is also performed by abusing Microsoft COM (Component Object Model).

Confidential | Cyberint Copyright © All Rights Reserved 2023 12

The State of Ransomware in the Philippines: A Report on the Recent Attacks on Phil-Data and PhilHealth / September 2023

Finally, ALPHV ends its preparation for encryption by doing the following:

• Deletion of all volume shadow copies using vssadmin and wmic commands, disabling the data
recovery.

• Disabling Automatic Repair using bcdedit to prevent the recovery of system-related files.

• Clearing event logs.

• Terminating all active services and processes.

After its preparation phase, the ransomware will first traverse the infected device by using a loop of
FindFirstFile and FindNextFIle to find all the files on the system. Afterward, the files are encrypted,
and a ransomware note is written and dropped on each directory that it has successfully encrypted.

The Ransomware Note

Once ALPHV encrypts all files on the system, the Desktop wallpaper is changed, instructing the user
to refer to the ransom note. The “.onion” URL specified in the ransom note is unique to each victim,
as each sample uses a different access token supplied to the URL as a parameter. The onion URL
contains information about the files encrypted/stolen and instructions on how to pay the ransom.

Confidential | Cyberint Copyright © All Rights Reserved 2023 13

 The State of Ransomware in the Philippines: A Report on the Recent Attacks on Phil-Data and PhilHealth / September 2023

Conclusion
The ransomware attacks on PhilHealth and Phil-Data are serious incidents that have significantly
impacted millions of Filipinos. The attacks highlight the growing threat of ransomware attacks,
especially in the healthcare and financial sectors. These organizations hold sensitive data that is
valuable to criminals, and ransomware attackers often target them.

The PhilHealth and Phil-Data ransomware attacks also raise concerns about the government's ability
to protect sensitive data. The government has a responsibility to protect the data of its citizens, and it
is important to learn lessons from these attacks and take steps to prevent similar incidents from
happening in the future.

The government should also consider providing support to individuals who have been affected by the
data breaches. This support could include offering credit monitoring services and helping individuals to
change their passwords and other security information.

The PhilHealth and Phil-Data ransomware attacks are a serious wake-up call for the Philippine
government and businesses. It is important to take steps to protect sensitive data and mitigate the
risks of ransomware attacks.

Recommendations
• Implement strong security measures, such as multi-factor authentication and firewalls. Multi-
factor authentication adds an extra layer of security to user accounts by requiring users to
enter two or more factors, such as a password and a one-time code from their phone, to log in.
Firewalls can help to block malicious traffic from entering your network.

• Educate employees about cybersecurity best practices. Employees should be trained to

identify and avoid phishing emails, which are a common way for ransomware to spread. They
should also be trained in how to create strong passwords and keep their software up to date.

• Regularly back up data and test recovery plans. Backups should be stored offline and tested
regularly to ensure they can be restored during a ransomware attack.

• Have a plan in place for responding to a ransomware attack. This plan should include steps for
notifying affected individuals, mitigating the damage, and recovering from the attack.

Confidential | Cyberint Copyright © All Rights Reserved 2023 14

The State of Ransomware in the Philippines: A Report on the Recent Attacks on Phil-Data and PhilHealth / September 2023

Indicators of Compromise
• Ransomware ALPHV/BlackCat
Indicator Type Indicator
File (Sha256) aba26d6d417add60be7ff8a0459fd98dcc7cb3afd2064338e3ed994accf8c18b
File (Sha256) 0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
File (Sha256) f815f5d6c85bcbc1ec071dd39532a20f5ce910989552d980d1d4346f57b75f89
File (Sha256) 847fb7609f53ed334d5affbb07256c21cb5e6f68b1cc14004f5502d714d2a456
File (Sha256) 731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161
File (Sha256) e5627c7b3e95c75c95e4532b3204209ed8c6786a159804702e0a3d03cdce7bed
File (Sha256) 1bf4178eceafd2dc3435fbb0183a6709f09c2fc446e48d3b342b243c5293d8c5
File (Sha256) ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c
File (Sha256) 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83
File (Sha256) 2b96baa58402a24a21ea2bdfee7f18aa3bfe6cbe0828666ed486a4ae50c5bf8f
File (Sha256) 9c1a8699f4b0698dd6aee7d8f467f96121687632db9860bbcaffcc22a5fa08e1
File (Sha256) e69a13add1245bc1b7b6337e64eee9b53395b9574f2b85d32f891680c7165ff5
File (Sha256) aabce4778175cb2088212e227cbb52e48fa93d42094782fce2aad5c9f36f2708
File (Sha256) 12138a12e35563461860d8c39d80e7cbf80aced9a3f197bf7e6a452a70e07048
File (Sha256) bacedbb23254934b736a9daf6de52620c9250a49686d519ceaf0a8d25da0a97f
File (Sha256) 6660d0e87a142ab1bde4521d9c6f5e148490b05a57c71122e28280b35452e896
File (Sha256) f2b3f1ed693021b20f456a058b86b08abfc4876c7a3ae18aea6e95567fd55b2e
File (Sha256) 2cf54942e8cf0ef6296deaa7975618dadff0c32535295d3f0d5f577552229ffc
File (Sha256) 28d7e6fe31dc00f82cb032ba29aad6429837ba5efb83c2ce4d31d565896e1169
File (Sha256) 1af1ca666e48afc933e2eda0ae1d6e88ebd23d27c54fd1d882161fd8c70b678e
File (Sha256) 3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1
File (Sha256) 9802a1e8fb425ac3a7c0a7fca5a17cfcb7f3f5f0962deb29e3982f0bece95e26
File (Sha256) f7a038f9b91c40e9d67f4168997d7d8c12c2d27cd9e36c413dd021796a24e083

• Ransomware Medusa

Indicator Type Indicator

IPv4 179.60.150.97
BitcoinAddress 12xd6KrWVtgHEJHKPEfXwMVWuFK4k1FCUF
BitcoinAddress 14cATAzXwD7CQf35n8Ea5pKJPfhM6jEHak
BitcoinAddress 14oH2h12LvQ7BYBufcrY5vfKoCq2hTPoev
BitcoinAddress 184ZcAoxkvimvVZaj8jZFujC7EwR3BKWvf
BitcoinAddress 18wRbb94CjyTGkUp32ZM7krCYCB9MXUq42
BitcoinAddress 1AbRxRfP6yHePpi7jmDZkS4Mfpm1ZiatH5
BitcoinAddress 1AereQUh8yjNPs9Wzeg1Le47dsqC8NNaNM
BitcoinAddress 1DRxUFhvJjGUdojCzMWSLmwx7Qxn79XbJq
BitcoinAddress 1DeNHM2eTqHp5AszTsUiS4WDHWkGc5UxHf
BitcoinAddress 1DyMbw6R9PbJqfUSDcK5729xQ57yJrE8BC
BitcoinAddress 1Edcufenw1BB4ni9UadJpQh9LVx9JGtKpP
BitcoinAddress 1HEDP3c3zPwiqUaYuWZ8gBFdAQQSa6sMGw

Confidential | Cyberint Copyright © All Rights Reserved 2023 15

The State of Ransomware in the Philippines: A Report on the Recent Attacks on Phil-Data and PhilHealth / September 2023

BitcoinAddress 1HZHhdJ6VdwBLCFhdu7kDVZN9pb3BWeUED
BitcoinAddress 1HdgQM9bjX7u7vWJnfErY4MWGBQJi5mVWV
BitcoinAddress 1PopeZ4LNLanisswLndAJB1QntTF8hpLsD
BitcoinAddress 1PormUgPR72yv2FRKSVY27U4ekWMKobWjg
BitcoinAddress bc1q9jg45a039tn83jk2vhdpranty2y8tnpnrk9k5q
BitcoinAddress bc1qy34v0zv6wu0cugea5xjlxagsfwgunwkzc0xcjj
BitcoinAddress bc1qz3lmcw4k58n79wpzm550r5pkzxc2h8rwmmu6xm
CVE CVE-2022-42475
CVE CVE-2022-47966
IPv4 104.210.72.161
IPv4 108.11.30.103
IPv4 138.124.186.221
IPv4 159.223.0.9
IPv4 185.220.101.252
IPv4 188.68.216.23
IPv4 194.5.220.122
IPv4 194.5.220.124
IPv4 194.5.250.124
IPv4 194.61.55.94
IPv4 195.123.246.138
IPv4 196.240.57.20
IPv4 198.0.198.5
IPv4 198.50.233.202
IPv4 40.92.90.105
IPv4 45.146.164.141
IPv4 50.80.219.149
IPv4 84.38.189.52
IPv4 87.251.75.71
IPv4 94.232.43.63
URL http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-
DcaE9HeHywqSHvdcIwOndCS4PuWASX8g
URL http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-
bET6JbB9vEMZ7qYBPqUMCxOQExFx4iOi
URL http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-
kB4rQXGKyxGiLyw7YDsMKSBjyfdwcyxo
URL http://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-
OWQwD1w1Td7hY7IGUUjxmHMoFSQW6blg
URL http://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-
Tj3PRnQlpHc9OftRVDGAWUulvE80yZbc
URL http://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-
uGHwkkWCoUtBbZWN50sSS4Ds8RABkrKy
URL http://gvlay6u4g53rxdi5.onion/21-wIq5kK9gGKiTmyups1U6fABj1VnXIYRB-
I5xek6PG2EbWlPC7C1rXfsqJBlWlFFfY
URL http://gvlay6u4g53rxdi5.onion/2l-
8P4ZLCsMTPaLw9MkSlXJsNZWdHeOrxjtE9lck1MuXPYo29daQys6gomZZXUImN7Z
URL http://gvlay6u4g53rxdi5.onion/6-iSm1B1Ehljh8HYuXGym4Xyu1WdwsR2Av-
6tXiw1BImsqoLh7pd207Rl6XYoln7sId
URL http://gvlay6u4g53rxdi5.onion/8-Ww5sCBhsL8eM4PeAgsfgfa9lrqa81r31-

Confidential | Cyberint Copyright © All Rights Reserved 2023 16

The State of Ransomware in the Philippines: A Report on the Recent Attacks on Phil-Data and PhilHealth / September 2023

tDQRZCAUe4164X532j9Ky16IBN9StWTH
URL http://gvlay6u4g53rxdi5.onion/8-gRp514hncgb1i1sjtD32hG6jTbUh1ocR-
Uola2Fo30KTJvZX0otYZgTh5txmKwUNe
URL http://gvlay6u4g53rxdi5.onion/8-
grp514hncgblilsjtd32hg6jtbyhlocr5pqjswxfgf2oragnl3pqno6fkqcimqin
URL http://gvlay6y4g53rxdi5.onion/21-8P4ZLCsMETPaLw9MkSlXJsNZWdHe0rxjt-
XmBgZLWlm5ULGFCOJFuVdEymmxysofwu
URL http://medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion/leakdata/[
REDACTED]
domain gvlay6u4g53rxdi5.onion
domain gvlay6y4g53rxdi5.onion
domain medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion
domain qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
email 777decoder777@tfwno.gf
email ballioverus@quocor.com
email beacon@jitjat.org
email beacon@msgsafe.io
email best666decoder@tutanota.com
email bitcoin@mobtouches.com
email bitcoin@sitesoutheat.com
email cmd@jitjat.org
email dec_helper@dremno.com
email dec_helper@excic.com
email dec_restore@prontonmail.com
email decoder83540@cock.li
email diniaminius@winrof.com
email dirhelp@keemail.me
email emaila.elaich@iav.ac.ma
email emd@jitjat.org
email encrypt2020@cock.li
email fast-help@inbox.lv
email fucktheworld1448@cock.li
email gsupp@onionmail.org
email gsupp@techmail.info
email helper@atacdi.com
email helper@buildingwin.com
email ithelp01@decorous.cyou
email ithelp01@wholeness.business
email ithelp02@decorous.cyou
email ithelp02@wholness.business
email ithelp@decorous.cyou
email ithelp@wholeness.business
email karloskolorado@tutanota.com
email korona@bestkoronavirus.com
email mulierfagus@rdhos.com
email perfection@bestkoronavirus.com
email pool1256@tutanota.com
email rapid@aaathats3as.com

Confidential | Cyberint Copyright © All Rights Reserved 2023 17

The State of Ransomware in the Philippines: A Report on the Recent Attacks on Phil-Data and PhilHealth / September 2023

email rescuer@tutanota.com
email rpd@keemail.me
email soterissylla@wyseil.com
email support@careersill.com
email support@exoprints.com
email support@exorints.com
email support@fanbridges.com
email support@faneridges.com
email support@imfoodst.com
email support@itwgset.com
email support@novibmaker.com
email support@securycasts.com
email support@ypsotecs.com
email unlockfile@cock.li
email unlockmeplease@airmail.cc
email willyhill1960@tutanota.com
email zlo@keem.ne
email zlo@keemail.me

Confidential | Cyberint Copyright © All Rights Reserved 2023 18

 CONTACT
US
www.cyberint.com | sales@cyberint.com | blog.cyberint.com

ISRAEL UNITED KINGDOM

Tel: +972-3-7286-777 Tel: +44-203-514-1515
17 Ha-Mefalsim St 4951447 Petah Tikva 6 The Broadway, Mill Hill NW7 3LL, London

USA – TX SINGAPORE
Tel: +1-646-568-7813 Tel: +65-3163-5760
7700 Windrose Plano, TX 75024 135 Cecil St. #10-01 MYP PLAZA 069536

USA - MA JAPAN
Tel: +1-646-568-7813 Tel: +81 080-6611-7759
22 Boston Wharf Road Boston, MA 2210 27F, Tokyo Sankei Building, 1-7-2 Otemachi,
hiyoda-ku, Tokyo 100-0004

ABOUT CYBERINT

Cyberint's impactful intelligence solution fuses real-time threat intelligence with bespoke attack
surface management, providing organizations with extensive integrated visibility into their external risk
exposure. Leveraging autonomous discovery of all external-facing assets, coupled with open, deep &
dark web intelligence, the solution allows cybersecurity teams to uncover their most relevant known and
unknown digital risks - earlier. Global customers, including Fortune 500 leaders across all major
market verticals, rely on Cyberint to prevent, detect, investigate, and remediate phishing, fraud,
ransomware, brand abuse, data leaks, external vulnerabilities, and more, ensuring continuous external
protection from cyber threats.

Confidential | Cyberint Copyright © All Rights Reserved 2023