Thailand, Malaysia, Hong Kong and the Philippines. Each a tropical paradise with some of the largest and most profitable businesses in the world. What else do they have in common? Major ransomware attacks have come back to Asia, with insurance giant AXA being a top target and suffering a distributed denial of service (DDoS) attack thrown in for good measure, as if someone were trying to make a point. As major enterprises fall to ransomware attack one-by-one, what is attracting attackers to enterprises like AXA besides the ransom money?
Who is AXA?
AXA is one of Europe’s top 5 insurance companies with a presence in over 54 countries. AXA serves 105 million clients with a range of products and services like property-casualty, life, and savings & health insurance, as well as asset management that are adapted to the specific needs of their clients.
The AXA ransomware attack
What made AXA the latest victim of a multi-pronged attack like this? It’s no coincidence that the attack came just days after AXA announced that they would no longer cover cyber-attack insurance payments in France, a country which lost $1,135,795,109 to ransomware in 2020. France has been leaning toward a no-tolerance policy toward ransomware and malware, with Paris-based cybercrime prosecutor Johanna Brousse telling officials last month, “The word to get out today is that, regarding ransomware, we don’t pay and we won’t pay.”
Brian Higgins, security specialist at Comparitech.com, believes that the AXA ransomware attack might be in retaliation for the recent ransomware payment policy change in France.
"There would appear to be an element of criminal logic to this particular attack. Any indication that the financial tap of ransomware insurance cash might be turning off was always going to attract some miscreant retribution," Brian Higgins says.
“A double-whammy ransomware and DDoS attack could be an indication of just how angry the Avaddon group are at potentially having to work harder for their easy money in the future, and I’m sure the information security community will be monitoring this incident closely to see who comes out on top.”
Cyber security experts believe the AXA ransomware attack was launched by the Avaddon ransomware group, who released a statement saying they had stolen 3 terabytes of data from AXA in the attack, including personal data and medical record data. The Avaddon ransomware is interesting in that the malware will ignore any systems using Russian language keyboards. AXA’s Asian offices have remained closed-lipped, as most large enterprises do mid cyber-attack, claiming that there is no evidence indicating that any data was accessed besides that stored in IPA in Thailand. We’ve heard this before – technically we hear this with every attack – and when the dust has settled, we may or may not be made aware of exactly what was stolen.. A statement directly from AXA addresses the attack saying in a statement,
“AXA takes data privacy very seriously and if IPA’s investigations confirms that sensitive data of any individuals have been affected, the necessary steps will be taken to notify and support all corporate clients and individuals impacted.”
The hackers have threatened to leak documents within 10 days if AXA does not pay an unspecified ransom. Already, the attackers have reportedly published roughly 20 screenshots to prove their claims.
How was the APAC region affected by the AXA ransomware attack?
News of the attack against AXA Asia operations was first reported by the Financial Times. The three terabytes of data, confirmed to be primarily medical records and communication, allegedly stolen in the AXA ransomware attack, was stolen from the international insurance arm of AXA partners, and the Asia Assistance Division. A statement issued by AXA addressed the Asia-based attack saying, “As a result, certain data processed by Inter Partners Asia (IPA) in Thailand has been accessed.” ABC news reported the attackers used a ransomware variant known as Avaddon to access the network, an attack type typically launched as ransomware-as-a-service by Avaddon partners recruited on the dark web, who then share the profits with Avaddon operators. The websites operated by AXA for Thailand, Malaysia, Hong Kong, and the Philippines have also been victims of DDoS attacks launched by the attackers. AXA was in the process of notifying business partners and regulators, as well as preparing to contact impacted individuals in the event their data was compromised.
Following the attack, both the FBI and Australian Cyber Security Center issued warnings about the increasing use of Avaddon ransomware.
What is ransomware insurance, like that provided by AXA, and how does it work?
Cyber insurance, or cyber-liability insurance, is an insurance policy organization buy to protect themselves from being on the hook for potentially millions of dollars in damages due to cyberattack and hacking. Cyber insurance is used to minimize the effect of ransomware attack, reduce downtime and speeding up recovery after an attack.
According to their website, AXA provides several different types and functions of cyber insurance, including:
- Data breach security and privacy liability
- Media internet communications
- Business interruption and extra expense
- Loss / destruction of electronic assets
- First party incident responses including IT forensics, notification costs, call center and PR expenses
- Privacy regulatory defence costs and coverage of regulatory fines and penalties (where insurable by law) arising from a privacy or security wrongful act
- Data restoration
- Cyber extortion
Cyber insurance is a highly debated topic in the IT world, as some see it as providing a vehicle to funnel money directly to attackers quickly and easily – encouraging attackers with the ease and speed of payment.
Who was affected by the AXA ransomware attack?
The fallout from the AXA ransomware attack has been far-reaching. Across the world in Ireland, the national healthcare system suffered an attack from a different ransomware group, demanding $20 million to decrypt their files and return stolen data without publication or sale. More than 2,000 patient-facing IT systems and 80,000 devices were affected in the ransomware attack. Irish Prime Minister Micheal Martin refused to pay ransom saying, “the government will not be paying any money.” Justice Minister Heather Humphreys said, “we will not be blackmailed,” despite the attack costing Ireland million to shut down and rebuild its public health care system IT network.
What can be done to prevent future ransomware attacks?
Ransomware is malware designed to make your data unavailable until a ransom is paid to unlock the data, using a specific sequence of events called a “Kill Chain,” to infect, encrypt, and spread. However, security point products (such as a firewall or anti-virus) alone cannot effectively impact the Kill Chain. The gaps between the point product spheres of influence make it easy for ransomware to breach and infect successfully. A more holistic solution is needed to completely break the cycle. The Sangfor Security Solution for Ransomware provides an innovative strategy that successfully mitigates ransomware attacks by breaking every step in the kill chain.
Sangfor’s anti-ransomware, network-wide and integrated solution is
- The only solution proven to block every step of the ransomware kill chain
- The only solution with direct integration between firewall and endpoint agents without using TI or a management console between
- The only firewall that identifies and blocks C2 communications and lateral propagation
- The only firewall able to verify endpoint infection based on C2 communications
- The only solution with a ransomware honeypot to stop encryption and identify and mitigate any controlling applications network-wide
We’ve traded one pandemic for another. As COVID recedes, ransomware takes its place, affecting everyone, everywhere. It’s vital to choose and deploy the right security solutions for your business before you fall victim to ransomware attack.
Sangfor Technologies is an APAC-based, global leading vendor of IT infrastructure and security solutions specializing in Network Security and Cloud Computing. Visit us at www.sangfor.com to learn more about Sangfor’s Security solutions and ransomware protection, and let Sangfor make your IT simpler, more secure and valuable.