Ransomware gangs have now struck two cybersecurity insurers in as many months, with AXA confirming over the weekend that an attack had affected its Asian operations.
AXA joins CNA Insurance, which in April confirmed that a ransomware incident had forced the company to take its operations offline. The attack on AXA, though, comes shortly after the French insurer said it would no longer reimburse ransomware payments under new policies it writes in that country, although a source familiar with the attack said there was no connection between AXA’s decision and the attack on its own networks.
The so-called Avaddon ransomware operators posted screenshots of information online that they said they obtained from AXA’s Asia Assistance subsidiary. The screenshots include a claim that the operators stole three terabytes of data, such as customer medical reports and claims, customer IDs and bank account papers, payments to customers and other health information.
“Asia Assistance was recently the victim of a targeted ransomware attack which impacted its IT operations in Thailand, Malaysia, Hong Kong, and the Philippines,” the subsidiary AXA Partners said of the attack. “As a result, certain data processed by Inter Partners Asia (IPA) in Thailand has been accessed. At present, there is no evidence that any further data was accessed beyond IPA in Thailand.”
AXA Partners said it had dedicated a task force with outside forensic experts to investigate, and has notified regulators and business partners. It did not answer questions about whether it had paid or would pay the attackers.
The Avaddon operators said they would give AXA 10 days to pay up or it would leak company documents, as well as hit AXA with a distributed denial-of-service attack.
Cyber insurers make inviting targets for ransomware attackers, since obtaining customer data could give them information about who’s best able to pay up should the gangs attack policyholders.
“Breaches of insurance companies are especially concerning given that another group, REvil, has previously stated that it uses the exfiltrated data to attack customers before finally encrypting the insurer’s network,” said Brett Callow, a threat analyst at Emsisoft, via email. “Potentially, the data could be used both to select targets and to spear phish those targets.”
Amid the alarm that the attack on Colonial Pipeline caused, some cybercriminals have taken steps to shun ransomware, although the move might merely be an attempt to take the heat off of themselves.