Third party, fire, and (ransomware) theft
Insurance giant AXA has been hit by a massive ransomware attack, just days after announcing that it would no longer cover damage from that class of cyber-attack in France.
The attack – targeted against AXA’s Asia Assistance division – hit IT operations in Thailand, Malaysia, Hong Kong, and the Philippines.
It’s believed to have been carried out by the Avaddon ransomware group. Cybercriminals seemingly tied to the group subsequentially claimed they had stolen three terabytes of data, including personal data and medical records.
“Avaddon’s affiliate model in essence means that anyone can become [an] affiliate and utilize their tools/malware in exchange for a percentage of the profits made in the particular attack,” said Hugo van den Toorn, manager of offensive security at Outpost24.
“Although identifying the Avaddon gang is trivial, it will still remain hard to identify what this particular affiliate’s motivation is to attack AXA.”
AXA claims that there’s no evidence that any further data was accessed beyond IPA in Thailand. It added that a dedicated taskforce with external forensic experts is investigating.
“AXA takes data privacy very seriously and if IPA’s investigations confirms that sensitive data of any individuals have been affected, the necessary steps will be taken to notify and support all corporate clients and individuals impacted,” the insurer said in a statement.
AXA hasn’t said what ransom figure has been demanded, or whether it plans to pay. However, the attack comes just days after an announcement by the company that its cyber insurance policies would no longer cover ransomware payments in France.
France has suffered heavily from ransomware attacks, and authorities believe that organizations should not pay because any payment serves to incentivize further attacks.
Last month, during a Senate roundtable in Paris, cybercrime prosecutor Johanna Brousse told officials: “The word to get out today is that, regarding ransomware, we don’t pay and we won’t pay.”
An AXA spokesperson told The Daily Swig: “In this context, AXA France, which had added an option to its range in this respect, deemed it appropriate to suspend marketing until the consequences of these analyses are drawn and the framework for insurance intervention is clarified.”
According to Robert Hannigan, chairman of BlueVoyant International, criminalizing ransom payments is unlikely to cause the ransomware business to dry up.
“While everyone agrees that funnelling billions of dollars into crime is a bad thing, and most agree that paying terrorists or sanctioned states should be unlawful, crudely banning all payments is likely to damage victims more than attackers,” he says.
And Catherine Mulligan, head of cyber at Aon’s Reinsurance Solutions business, says that underwriting ransoms is perfectly feasible, as long as organizations are well enough prepared.
“Ransomware attack vectors have remained remarkably unchanged, which means insurers can underwrite to specific controls,” she told The Daily Swig.
“Basic cybersecurity hygiene and controls go a long way to preventing attacks. For example, underwriters can look for open RDP [Remote Desktop Protocol] and ask about multi-factor authentication and patching schedules, then make coverage and pricing decisions accordingly.”
‘Revenge’ attack theory
Brian Higgins, security specialist at Comparitech.com, suggests that the attack against AXA might even represent revenge for the change in policy.
“There would appear to be an element of criminal logic to this particular attack. Any indication that the financial tap of ransomware insurance cash might be turning off was always going to attract some miscreant retribution,” he says.
“A double-whammy ransomware and DDoS attack could be an indication of just how angry the Avaddon group are at potentially having to work harder for their easy money in the future, and I’m sure the information security community will be monitoring this incident closely to see who comes out on top.”