A PhilHealth service counter. The Medusa ransomware, which conceals itself within the system to evade detection, has been affecting PhilHealth since June, a senior cybersecurity official said. Image Credit: Screengrab

Manila: Hackers have made a demand for $300,000, approximately ₱17 million, from the Manila government after compromising the database of the state health insurer, the Philippine Health Insurance Corporation (PhilHealth), through the Medusa "ransomware”, it was revealed Monday.

The leaked information primarily pertains to PhilHealth employees, not PhilHealth members, according to a senior cybersecurity official.

PhilHealth member databases remain "safe and secure”, according to Department of Information and Communications Technology (DICT).

Department Undersecretary Jeffrey Ian Dy, told local media that the ransom demand is contingent on three conditions:

  • Providing the decryption keys to enable access to the data again.
  • Deleting the data they obtained and refraining from making it public.
  • Giving DICT a copy of the data in their possession.

System cleanup

Currently DICT is actively collaborating with PhilHealth and their outsourced cybersecurity partners to complete the system cleanup, the official told local media.

Their top priority is to restore PhilHealth's online services, which have been temporarily unavailable since Sunday due to the cyberattack.


Dy noted that law enforcement agencies have gathered evidence against the cybercriminals, expressing hope for their apprehension. International cooperation is essential, he said, since these hackers operate on a global scale.

However, he cautioned that there is no guarantee the hackers will fulfill their promises once the ransom is paid.

Dy described the Medusa ransomware as a “growing threat”.

Medusa ransomware attacks
• Medusa ransomware, initially documented in June 2021, falls under the category of malicious software designed to encrypt files.

• According to the US Cybersecurity and Infrastructure Security Agency (CISA), MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims' networks.

• The Federal Bureau of Investigation (FBI), CISA and other key US government agencies, issued a comprehensive cybersecurity advisory in August 2022 shedding light on the MedusaLocker ransomware.

• The advisory underscores that MedusaLocker ransomware operators heavily exploit vulnerabilities within Remote Desktop Protocol (RDP) as their primary gateway to infiltrate victims' networks.

• Once inside, these cyber actors encrypt the victim's data and strategically place a ransom note with specific communication instructions in every folder containing encrypted files.

• The ransom note serves as a roadmap for victims, guiding them towards making ransom payments to a designated Bitcoin wallet address.

• What sets MedusaLocker apart is its operational model, which strongly resembles a Ransomware-as-a-Service (RaaS) framework.

• This model typically involves collaboration between a ransomware developer and a network of affiliates responsible for deploying the ransomware on targeted systems.

• Notably, the cybercriminals behind MedusaLocker have been observed consistently distributing ransom payments with a distinct split: affiliates receive approximately 55 to 60 percent of the ransom, while the remaining portion goes to the ransomware's developer.

Regarding the PhilHealth situation, Dy reassured the public that the online services used by the public have not been compromised.

However,critical services were temporarily shut down and isolated to prevent the ransomware from spreading further.

Online services are expected to resume “within the next few days”, Dy said without citing specifics.

The Medusa ransomware attack has been affecting PhilHealth since June. Dy explained that it conceals itself within the system to evade detection.

Cybersecurity threats

Dy has also appealed for an increase in the budget of DICT's Cybersecurity Bureau due to the rising trend of cyberattacks in the country.

He highlighted that 3,000 cyberattack cases were reported to DICT from January to August 2023, while only $7.03 million (Php400 million) were allocated for the Cybersecurity Bureau.

On Sunday, DICT issued fresh guidelines to government offices on protecting themselves from the Medusa ransomware.