Ransomware hits AXA units in Asia, hurts Ireland healthcare
Russian-speaking cybercriminals have hit subsidiaries of the Paris-based insurer AXA in Thailand, Malaysia, Hong Kong and the Philippines with a ransomware attack
May 17, 2021, 11:19 PM
5 min read
Share to FacebookShare to TwitterEmail this articleFILE - In this Friday, Feb. 21, 2020 file photo, Irish Prime Minister Leo Varadkar arrives for an EU summit at the European Council building in Brussels. Ireland’s health service says it has shut down its IT systems after being targeted in a “significant ransomware attack.” The Health Service Executive said Friday that the move was a precaution, and appointments for coronavirus vaccinations were not affected. Procedures were canceled at hospitals and Deputy Prime Minister Leo Varadkar said the disruption could last for days. (Ludovic Marin, Pool Photo via AP, File)
PARIS -- Cybercriminals have hit four Asian subsidiaries of the Paris-based insurance company AXA with a ransomware attack, impacting operations in Thailand, Malaysia, Hong Kong and the Philippines, the insurer said.
The criminals claimed to have stolen 3 terabytes of data including medical records and communications with doctors and hospitals.
In Ireland, meanwhile, the national healthcare system struggled to restore IT systems that were all but paralyzed by a cyberattack last week by a different Russian-speaking ransomware group. That group is demanding $20 million, according the ransom negotiation page on its darknet site, which The Associated Press viewed.
The gang threatened Monday to “start publishing and selling your private information very soon.”
The Irish government's decision not to pay the criminals resulted in hospitals losing access to patient records — and resorting to handwritten notes — until painstaking efforts are complete to restore thousands of computer servers from backups.
AXA Partners, the Paris insurer's international arm, offered few details of the Asia attacks. It said in a brief statement Sunday that their full impact was being investigated and that steps would be "taken to notify and support all corporate clients and individuals impacted.” It said the attack was recent, but did not specify when exactly. It said data in Thailand was accessed and that “regulators and business partners have been informed.”
News of the Asia attack was first reported by the Financial Times. The attackers used a ransomware variant called Avaddon. In a post on their darknet leak site including some document samples, they claim to have stolen 3 terabytes of data including medical records, customer IDs and privileged communications with hospitals and doctors. Avaddon threatened to leak “valuable company documents” in 10 days if the company did not pay an unspecified ransom.
AXA, among Europe’s top five insurers, said this month that it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.
The insurer said at the time that it was suspending the option in France only in response to growing concern that such reimbursements encourage cyber criminals to demand ransom from companies they prey on, crippling them with malware. Once victims of ransomware pay up, criminals provide software keys to decode the data. Last year, ransomware reached epidemic levels as criminals increasingly turned to “double extortion,” stealing sensitive data before activating the encryption software that paralyzes networks and threatening to dump it online if they don't get paid.
It appears that's exactly what happened to the AXA subsidiaries and Ireland's health care system. In the latter case, the criminals claim to have stolen more than 700 gigabytes of personal data on patients and employees — including home addresses and phone numbers — as well as customer databases, payroll and other financial information. The criminals claimed to have spent two weeks in the network before executing the ransomware.
