Suspected Russian ransomware hits AXA insurance operations in Asia

The Thai affiliate of insurance company AXA said on Tuesday it is investigating a ransomware attack by Russian-speaking cybercriminals that has affected operations in Thailand, Malaysia, Hong Kong and the Philippines.

In Bangkok, Krungthai AXA said it has formed a team with AXA’s Inter Partner Assistance to urgently investigate the problem.

Other AXA affiliates in the Philippines, Malaysia and Hong Kong did not respond to requests for comment from the Associated Press.

AXA Partners, the Paris insurer’s international arm said on Sunday that steps would be “taken to notify and support all corporate clients and individuals impacted”.

News of the Asia attacks was first reported by the Financial Times. The attackers used a ransomware variant called Avaddon which threatened to leak “valuable company documents” in 10 days if the company did not pay an unspecified ransom.

It was unclear if the attack was linked in any way to others, including a cyberattack that has nearly paralysed Ireland’s national healthcare IT systems. Conti, a Russian-speaking ransomware group different from the one involved in the attack on AXA, was demanding US$20 million, according to the ransom negotiation page on its darknet site, which The AP viewed.

That gang is threatening to “start publishing and selling the stolen information very soon”.

The Irish government’s decision not to pay the criminals means hospitals won’t have access to patient records and must resort mostly to handwritten notes until thousands of computer servers are restored from backups.

So-called “big-game” hunters like Avaddon and Conti identify and target lucrative victims, leasing their “ransomware-as-a-service” to affiliates they recruit who take more risk and a higher share of the profits.

AXA, among Europe’s top five insurers, said this month that it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.

It said it did so out of concern that such reimbursements encourage cyber criminals to demand ransom from companies, crippling them with malware. Once the victims of ransomware pay up, the criminals provide software keys to decode the data.

Ransomware attacks returned to headlines this month after hackers struck the US’ largest fuel pipeline, the Colonial Pipeline. The company shut it down for days to contain the damage and reportedly paid the ransom of US$5 million.

Last year, ransomware demands reached epidemic levels as criminals increasingly turned to “double extortion”, stealing sensitive data before activating the encryption software that paralyses networks and threatening to dump it online if they don’t get paid.

That appears to be what happened to the AXA subsidiaries and Ireland’s health care system.

The extent of damage and any payouts so far in affected Asian countries is unclear.

Like most top ransomware purveyors, Avaddon’s ransomware is programmed not to target computers with Russian-language keyboards and enjoys safe harbour in former Soviet states.

Conti also enjoys Kremlin tolerance and is among the most prolific of such gangs. It recently attacked a school system in Florida.

Also on Tuesday a cyberattack on a public health provider in New Zealand took down information systems across five hospitals. It is still unclear if the event is linked in any way to the AXA attacks.