Ransomware Hits Axa Units in Thailand, Hurts Ireland Healthcare

In this Thursday, Feb. 21, 2019, file photo, people stand in front of the logo of AXA Group prior to the company's 2018 annual results presentation, in Paris. Photo: Thibault Camus, File

PARIS (AP) — Cybercriminals have hit four Asian subsidiaries of the Paris-based insurance company AXA with a ransomware attack, impacting operations in Thailand, Malaysia, Hong Kong and the Philippines, the insurer said.

The criminals claimed to have stolen 3 terabytes of data including medical records and communications with doctors and hospitals.

In Ireland, meanwhile, the national healthcare system struggled to restore IT systems that were all but paralyzed by a cyberattack last week by a different Russian-speaking ransomware group. That group is demanding $20 million, according the ransom negotiation page on its darknet site, which The Associated Press viewed.

The gang threatened Monday to “start publishing and selling your private information very soon.”


The Irish government’s decision not to pay the criminals means hospitals won’t have access to patient records — and must resort mostly to handwritten notes — until painstaking efforts are complete to restore thousands of computer servers from backups.

AXA Partners, the Paris insurer’s international arm, offered few details of the Asia attacks. It said in a brief statement Sunday that their full impact was being investigated and that steps would be “taken to notify and support all corporate clients and individuals impacted.” It said the attack was recent, but did not specify when exactly. It said data in Thailand was accessed and that “regulators and business partners have been informed.”

News of the Asia attack was first reported by the Financial Times. The attackers used a ransomware variant called Avaddon. In a post on their darknet leak site including some document samples, they claim to have stolen 3 terabytes of data including medical records, customer IDs and privileged communications with hospitals and doctors. Avaddon threatened to leak “valuable company documents” in 10 days if the company did not pay an unspecified ransom.

AXA, among Europe’s top five insurers, said this month that it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.

The insurer said at the time that it was suspending the option in France only in response to growing concern that such reimbursements encourage cyber criminals to demand ransom from companies they prey on, crippling them with malware. Once victims of ransomware pay up, criminals provide software keys to decode the data. Last year, ransomware reached epidemic levels as criminals increasingly turned to “double extortion,” stealing sensitive data before activating the encryption software that paralyzes networks and threatening to dump it online if they don’t get paid.

It appears that’s exactly what happened to the AXA subsidiaries and Ireland’s health care system. In the latter case, the criminals claim to have stolen more than 700 gigabytes of personal data on patients and employees — including home addresses and phone numbers — as well as customer databases, payroll and other financial information. The criminals claimed to have spent two weeks in the network before executing the ransomware.

The top victims of ransomware are in the United States, followed by France, experts say. The extent of damage, and payouts, in Asian countries was not immediately clear. Like most top ransomware purveyors, Avaddon’s ransomware is programmed not to target computers with Russian-language keyboards and enjoys safe harbor in former Soviet states.

The group that attacked Ireland’s Health Service Executive, Conti, similarly enjoys Kremlin tolerance and is among the most prolific such gangs, recently attacking such high-profile targets as Broward County Florida’s school system.

Irish Prime Minister Micheal Martin has refused to pay ransom despite an attack announced Friday that caused the country of 5 million to shut down and rebuild its public health care system’s IT network.

The system’s chief operations officer, Anne O’Connor, told a local radio reporter on Sunday that many cancer treatment sessions, X-rays and other radiology appointments had been canceled, describing perhaps the worst impact today on a healthcare system from ransomware.

“There’s not much back up and running,” yet, O’Connor said of the IT network, adding that data on thousands of servers would need to be rebuilt from backups. “It’s going to be a slow process.”

“All of our diagnostic capability in terms of radiology have gone,” she said. “We have no capability now to look back at any previous tests, any previous scans. We can’t order lab tests or radiology electronically.”

She said hospitals had resorted to “manual handwritten notes. We have people in hospitals delivering pieces of paper around with lab results, et cetera.”

Ransomware attacks returned to headlines this month after hackers struck the United States’ largest fuel pipeline, the Colonial Pipeline, and the company shut it down for days to contain the damage.


The ransomware gangs that have had the biggest impact are so-called “big-game” hunters like Avaddon and Conti that identify and target lucrative victims. They work through affiliates who do most of the work. They rented their “ransomware-as-a-service” to partners they recruit on darknet crime forums and divide the profits.


Story: Elaine Ganley and Frank Bajak. Bajak reported from Boston.