Ransomware Attack Hits Asian Unit of Insurer AXAAvaddon Ransomware Gang Claims Responsibility
Asia Assistance, a subsidiary of Paris-based multinational insurance company AXA, was hit by a ransomware attack that affected its IT operations in Thailand, Malaysia, Hong Kong and the Philippines, the company reports.
The Avaddon ransomware group has threatened the insurance company with leaking “valuable company documents” in 10 days if the company does not pay an unspecified ransom, the group said on its leak site, according to the news site Bleeping Computer.
On Sunday, Bleeping Computer also reported that AXA's global websites were experiencing an ongoing DDoS attack over the weekend, making them temporarily inaccessible, but they were back up and running on Monday.
"Certain data processed by Inter Partners Asia in Thailand has been accessed," AXA confirmed on Sunday. The ransomware attack occurred after the company recently announced that it would stop reimbursing customers for extortion payments made to ransomware criminals.
The compromised data includes copies of ID cards, bank account statements, customer medical reports including documents exposing sexual health diagnoses, claim forms, payment records, contracts and medical reports on HIV, sexually transmitted diseases and other illnesses, the attackers’ leak site states.
"At present, there is no evidence that any further data was accessed beyond IPA in Thailand," AXA tells Information Security Media Group. "A dedicated task force with external forensic experts is investigating the incident. Regulators and business partners have been informed. AXA takes data privacy very seriously, and if IPA’s investigations confirm that sensitive data of any individuals have been affected, the necessary steps will be taken to notify and support all corporate clients and individuals impacted."
The Avaddon ransomware group claimed on its leak site that it had stolen 3TB of sensitive data from AXA's Asian operations and provided some leaked samples, Bleeping Computer reports.
"Avaddon is a gang using an affiliate business model and is known for leaking stolen data if a ransom is not paid," says Hugo van den Toorn, manager of offensive security at the security firm Outpost24. "Since early this year, they have added DDoS to their modus operandi to increase odds of victimized companies paying the demanded ransom. Avaddon’s affiliate model in essence means that anyone can become an affiliate and utilize their tools/malware in exchange for a percentage of the profits made in any particular attack."
The FBI and the Australian Cyber Security Center recently issued a warning that attackers are using Avaddon ransomware to target diverse organizations (see: Alerts: Avaddon Ransomware Attacks Increasing).
The gang behind Avaddon ransomware recently stole SIM card data and banking information in an attack on Schepisi Communications, a service provider to Australian telecommunications company Telstra (see: Ransomware Hits Australian Telecom Provider Telstra’s Partner).
How Does Avaddon Work?
Written in C++, Avaddon encrypts data using a unique AES256 encryption key, the Australian Cyber Security Center reported. During the infection process, Avaddon checks the operating system language and keyboard layouts. If a potential victim’s operating system language is set to languages normally used in the Commonwealth of Independent States - nations formerly part of the Soviet Union - the malware ceases operation without harming the system.
The Avaddon attackers use data leak site avaddongun7rngel[.]onion to identify victims who do not pay ransoms, ACSC says. They demand ransom payment via bitcoin, with an average demand of about $40,000 in exchange for a decryption tool, the ACSC reports.