Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Ransomware hits AXA units in Asia, Irish healthcare

The Thai affiliate of Paris-based insurance company AXA says it is investigating a ransomware attack by Russian-speaking cybercriminals that has affected operations in Thailand, Malaysia, Hong Kong and the Philippines

Via AP news wire
Tuesday 18 May 2021 03:02 EDT
Cybersecurity Ransomware Attacks
Cybersecurity Ransomware Attacks (Copyright 2019 The Associated Press. All rights reserved)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

The Thai affiliate of Paris-based insurance company AXA said Tuesday it is investigating a ransomware attack by Russian-speaking cybercriminals that has affected operations in Thailand, Malaysia Hong Kong and the Philippines.

Meanwhile, a cyberattack on a public health provider in New Zealand took down information systems across five hospitals, forcing staff to cancel some elective surgeries and creating all sorts of other problems.

In Bangkok, Krungthai AXA said it has formed a team with AXA's Inter Partner Assistance to urgently investigate the problem. It was unclear how long it might take to evaluate the exposure of personal data after the criminals claimed to have stolen 3 terabytes of data including medical records, customer IDs and privileged communications with hospitals and doctors.

Kanjana Anantasomboon, Asia vice president for corporate and internal communications at Krungthai-AXA Life Insurance, said the company handles some of its services inhouse, so only part, she declined to say how much, of its customer data was with Inter Partner Assistance’s claim service.

Other AXA affiliates in the Phlippines, Malaysia and Hong Kong did not respond to requests for comment.

AXA Partners, the Paris insurer’s international arm, has given few details. It said Sunday that the full impact of the attack was being investigated and that steps would be “taken to notify and support all corporate clients and individuals impacted.” It said the attack was recent, but did not specify when exactly. It said data in Thailand was accessed.

In New Zealand, Waikato District Health Board Chief Executive Kevin Snee said its emergency department was now only taking urgent patients. He said administrators were working to resolve the issue but he gave no timeline for when the system might be restored.

Dr. Deborah Powell, the national secretary for two unions representing doctors and other health professionals, said the attack hit every part of the operation, with doctors unable to access clinical records to quickly assess patients.

Still, Powell said she didn’t believe patients were at extra risk because staff were using workarounds.

Hospital discharges were being done by hand, and a pager system to alert multiple doctors when a patient suffered a cardiac arrest that was down was replaced by a system of personal mobile numbers. People trying to contact patients were encouraged to try calling their cell phones.

Powell said she was told it was a ransomware attack but she didn’t have all the details. New Zealand’s Ministry of Health described it only as an “attempted cyber incident.”

It was unclear if the event was linked in any way to others, including a cyberattack that has nearly paralyzed Ireland's national healthcare IT systems. Conti, a Russian-speaking ransomware group different from the one involved in the attack on AXA, was demanding $20 million, according to the ransom negotiation page on its darknet site, which The Associated Press viewed.

That gang threatened Monday to “start publishing and selling your private information very soon.”

The Irish government's decision not to pay the criminals means hospitals won't have access to patient records — and must resort mostly to handwritten notes — until painstaking efforts are complete to restore thousands of computer servers from backups.

News of the Asia attack was first reported by the Financial Times. The attackers used a ransomware variant called Avaddon. Avaddon threatened to leak “valuable company documents” in 10 days if the company did not pay an unspecified ransom.

So-called “big-game” hunters like Avaddon and Conti identify and target lucrative victims, leasing their “ransomware-as-a-service” to affiliates they recruit who do most of the heavy-lifting — taking more risk and a higher share of the profits.

AXA, among Europe’s top five insurers, said this month that it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals. It said it did so out of concern that such reimbursements encourage cyber criminals to demand ransom from companies they prey on, crippling them with malware. Once victims of ransomware pay up, criminals provide software keys to decode the data.

Ransomware attacks returned to headlines this month after hackers struck the United States’ largest fuel pipeline, the Colonial Pipeline. The company shut it down for days to contain the damage.

Last year, ransomware reached epidemic levels as criminals increasingly turned to “double extortion,” stealing sensitive data before activating the encryption software that paralyzes networks and threatening to dump it online if they don't get paid.

That appears to be what happened to the AXA subsidiaries and Ireland's health care system.

The top victims of ransomware are in the United States, followed by France, experts say. The extent of damage and payouts in Asian countries is unclear. Like most top ransomware purveyors, Avaddon's ransomware is programmed not to target computers with Russian-language keyboards and enjoys safe harbor in former Soviet states.

Conti also enjoys Kremlin tolerance and is among the most prolific of such gangs. It recently attacked the school system in Broward County, Florida, which serves Fort Lauderdale and is one of the largest U.S. school districts.

___

Perry contributed from Wellington, New Zealand. Elaine Ganley in Paris and Frank Bajak in Boston also contributed to this report.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in