An AXA subsidiary in Asia must decide whether to pay a ransom demand to cybercriminals a week after the insurance company said it is suspending policies which reimburse ransomware victims who pay their attackers.
Cybercriminals recently infiltrated AXA’s Asia Assistance network and reportedly stole sensitive data processed by one of its partners in Thailand. AXA Partners confirmed that a “targeted ransomware attack” impacted IT operations in Thailand, Malaysia, Hong Kong and the Philippines.
A ransomware gang claiming responsibility for the attack said it stole three terabytes of data, in a dark web post seen by the Financial Times. It also said it was behind a distributed denial of service (DDoS) attack that made AXA’s global websites inaccessible on Monday.
According to the dark web post, the stolen customer data included medical records, insurance claims, ID screenshots and passport pages, bank documents and other medical records. It is understood that the cybercriminals are threatening to leak the files unless payment is made, rather than asking for payment to unscramble encrypted files. This type of extortion is often referred to as ‘leakware’.
“The AXA case is particularly egregious – other than personal medical information, it’s difficult to think of data that would be considered more private for individuals. Such data was likely targeted to maximise the ransom leverage,” said Michael Barragry, operations lead at vulnerability management firm Edgescan.
The data extortion comes just one week after Paris-headquartered AXA said it would stop writing cyber-insurance policies in France that reimburse customers who pay ransomware demands. Verdict understands that the move, believed to be an industry first, is a temporary suspension while it awaits the outcome of regulatory decisions by the French government. AXA will continue offering other cyber insurance, such as policies that pay out for recovery from cyberattacks.
A person familiar with the matter told the Financial Times that the ransomware attack took place before AXA revealed it would suspend this policy on 10 May, refuting speculation that AXA was targeted because of its new stance.
When asked for a specific date of the Asia Assistance ransomware attack, an AXA Partners spokesperson declined to comment.
“Asia Assistance was recently the victim of a targeted ransomware attack which impacted its IT operations in Thailand, Malaysia, Hong Kong, and the Philippines,” an AXA Partners spokesperson told Verdict in a statement. “As a result, certain data processed by Inter Partners Asia (IPA) in Thailand has been accessed. At present, there is no evidence that any further data was accessed beyond IPA in Thailand.
“A dedicated taskforce with external forensic experts is investigating the incident. Regulators and business partners have been informed. AXA takes data privacy very seriously and if IPA’s investigations confirm that sensitive data of any individuals have been affected, the necessary steps will be taken to notify and support all corporate clients and individuals impacted.”
The malware used in the AXA attack is believed to be Avaddon, which is sold as ransomware-as-a-service to affiliate cyber gangs who give a cut of their earnings to the software makers.
“This does mean that attribution of this gang is very hard; although identifying the Avaddon gang is trivial, it will still remain hard to identify what this particular affiliate’s motivation is to attack AXA,” Hugo van den Toorn, manager of offensive security at Outpost24, adding that the gang could have just got “lucky”.
Earlier this month the FBI and Australian Cyber Security Centre warned of an ongoing Avaddon ransomware campaign targeting organisations hailing from multiple sectors.
AXA ransomware: To pay or not to pay?
Cybersecurity professionals overwhelmingly advise against paying ransom demands because there is no guarantee that files will be decrypted, or that data will not be leaked or sold.
Paying can also make organisations a target for future attacks because cybercriminals know they are more likely to give in to the demands. Companies that pay the ransom are also funding crime, making it profitable for the gangs to operate and so continue the cycle.
Insurance companies have come under increasing fire for perpetuating the ransomware cycle by offering policies that reimburse victims after they have paid the demand.
“In recent years we have seen cyber insurance on the rise, with some insurance companies even negotiating with the cybercriminals for a discount, however this is just making ransomware crime more lucrative and successful for the criminals,” said Joseph Carson, chief security scientist at cybersecurity firm ThycoticCentrify. “We must educate companies and citizens on how to reduce the risks and become more resilient so that paying a ransom is not even an option to consider.”
AXA declined to comment on the size of the ransom fee being demanded and whether it intends to pay it.
“This will be a challenging time for AXA as to how they approach this situation especially after they recently said they wouldn’t fund criminal demands for future attacks,” said Jake Moore, cybersecurity specialist at internet security firm ESET.
He added that it would be “extremely ironic” if AXA now decided to pay the ransom. “However, stuck between a rock and a hard place, every situation must be referred to independently and a blanket decision must not be taken lightly.”
Lior Div, CEO and co-founder of Cybereason, echoed the difficult position that AXA and other ransomware victims find themselves in: “Organisations often deliberate long and hard before deciding to meet the ransom demands. A company’s lawyers and insurer will be involved in the decision to pay the ransom. Companies make decisions based on what they think is in the best interest of the company, its customers and shareholders.”
Ransomware, and particularly ransomware-as-a-service, has been on the rise and recently claimed high-profile victims. Two cyberattacks against Ireland’s health service recently followed a ransomware attack that forced infrastructure firm Colonial Pipeline to halt operations, causing fuel shortages along the US East Coast.
For more information on ransomware and what to do in the event of an attack, read our explainer here.