UPDATED 20:35 EDT / MAY 16 2021

SECURITY

After dropping support for ransom payments, AXA struck by ransomware in Asia

French multinational insurance firm AXA S.A. has been struck by a ransomware attack after the company announced May 9 that it would stop paying for ransomware crime payments.

Reuters reported the company said today that one of its Asia Assistance divisions had been targeted and that information technology services were affected in Thailand, Malaysia, Hong Kong and the Philippines. “As a result, certain data processed by Inter Partners Asia (IPA) in Thailand has been accessed,” AXA noted.

According to Hackread, the Avaddon ransomware group was behind the attack and is claiming responsibility on its dark web site. The group claims to have stolen 3 terabytes of data, including a long list of information: ID cards, passport copies, customer claims, reserved agreements, denied reimbursements, payments to customers, contract and reports, customer IDs and bank account scanned papers, hospital and doctor reserved material (private investigation for fraud) and customer medical reports including HIV, hepatitis, STD and other illness reports.

Avaddon provided copies of two passports as evidence, one Thai and the other from the U.K.

The ransom being demanded was not disclosed. The ransomware group said AXA has 240 hours to communicate and cooperate, otherwise it will leak valuable company documents.

The attack by Avaddon comes just under a week since both the U.S. Federal Bureau of Investigation and the Australian Cyber Security Centre issued warnings that an Avaddon campaign was targeting organizations worldwide. The FBI said that Avaddon ransomware affiliates are trying to breach the networks of manufacturing, healthcare and other private sector organizations, while the ACSC said that the targets included government, finance, law enforcement, energy, information technology and health.

“In addition to encryption of data, victims are threatened with the publication of stolen data, as well as Distributed Denial of Service against their network,” the ACSC added.

Avaddon dates to around June last year and was first detailed in July by Trend Micro Inc. Avaddon ransomware attacks are typically propagated through emails with a JavaScript attachment. Once the attachment is downloaded and run, it users a PowerShell command and the BITSAdmin command-line tool to download and run the ransomware payload.

At this point, users have their wallpaper changed to an image that states that “all your files have been encrypted” and told to read a ransomware note. The note provide instructions on how the affected users can recover their encrypted files.

Photo: Kokky92/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.