AXA logo on building showing ransomware attack after change in cyber insurance policies

Ransomware Attack Reported at Insurance Giant AXA One Week After It Changes Cyber Insurance Policies in France

European insurance giant AXA made news earlier in the month for opting to drop ransomware payment coverage from new cyber insurance policies in France. A retaliatory attack may have been directed against the company this week. AXA’s operations in Asia were hit by a ransomware attack, disrupting business and compromising customer records in four countries.

While it is certainly possible that the timing was coincidental, a concurrent distributed denial of service (DDoS) attack against the company in the region linked to a known ransomware gang indicates that this may have been a targeted response.

The Financial Times reported that the ransomware attack happened before the policy change according to a person familiar with the matter.

Ransomware attack hits several countries in Asia, three terabytes of data stolen

While “grandfathered” cyber insurance policies with coverage will retain it, AXA recently made the controversial decision to stop covering any part of ransomware payments for new policies taken out in France. The company says this was done due to uncertainty over the continuing legality of making these payments in that country, as the French Senate has publicly raised the possibility of a ban. AXA is the first of the major cyber insurance companies to drop ransomware payments from its coverage options.

AXA is centered in Europe but operates globally. The country’s Asian branch was hit by a ransomware attack last week, impacting three countries (Malaysia, the Philippines and Thailand) along with Hong Kong. 3 TB of data was stolen ahead of the deployment of the ransomware; this includes pictures of customer ID cards, bank account statements, payment records, submitted claim forms, customer medical reports and contracts among other sensitive items.

The ransomware attack was quickly claimed by Avaddon, a group that has been active for about a year and has been on a bit of a spree in the last few weeks. The group is thought to be based in Russia (based on advertising on dark web forums) and offers a “ransomware-as-a-service” model to less sophisticated clients. The group has already been implicated in some high-profile ransomware attacks this year including stealing banking information and SIM card data from a vendor of Australia’s Telstra telecommunications firm.

Though the group itself is active, the recent spate of ransomware attacks connected to its offerings shows a lack of sophistication that indicates low-tech clients are flocking to its services. Avaddon ransomware is mostly observed attached to spam emails, often claiming that the sender has compromising pictures of the target.

While the Avaddon clients may not be sophisticated, the ransomware package itself is fairly advanced. Avaddon ransomware attacks steal files ahead of locking out systems and also threaten DDoS attacks against victims if they do not pay up. As the recent incident with AXA shows, the latter is not an idle threat. The inclusion of DDoS attacks in ransomware packages is a very new phenomenon, as Ilia Kolochenko (Founder and CEO of ImmuniWeb) notes: “Usually, DDoS cyber gangs do not operate jointly with ransomware folks. Combining a ransom demand with a large-scale DDoS is a bit unusual, and clearly demonstrates a growing coordination between cybercrime groups.”

When activated the Avaddon malware first checks the target system’s keyboard and language settings to verify it is not located in the Commonwealth of Independent States of Eurasia; if it is the attack will cease automatically. The ransomware also uses a unique and strong AES256 encryption key. Stolen data is published on an underground data leak site if victims do not pay; the average ransom demand is $40,000 USD in Bitcoin.

A statement by AXA to reporters indicates that the breach originated with a vendor called Inter Partners Assistance (IPA) based in Thailand. Chris Clements, VP of Solutions Architecture for Cerberus Sentinel, sees the incident as a heads-up that those in the cybersecurity and cyber insurance industry are not necessarily any better prepared for these attacks than their clients: “The timing of the attack on AXA being so close to their announcement that they will no longer cover ransomware payment reimbursements with their policies in France may indicate that they were targeted to make an example of organizations challenging their extortionary business model. It’s tempting to laugh at the irony of a company that provides cyber insurance getting compromised, but the reality is that most organizations are vulnerable to the same attacks and security is challenging to get right. The scale and complexity of modern computer networks make addressing every potential risk effectively impossible, and often attackers need only find one mistake or omission to bring an entire company to its knees. Couple this with the fact that ransomware gang’s extortion earnings often give them higher budgets than their target teams defenders and it’s no wonder that ransomware is epidemic across the globe.”

Cyber insurance companies face prospect of ransomware payment bans

As the AXA ransomware attack demonstrates, organizations are often faced with no better choices than to pay the ransom and hope for the best (the option taken in the Colonial Pipeline incident that caused gas shortages in the US for over a week). Avaddon gave AXA just 10 days to make a decision regarding the payment, with timeframes for these demands sometimes substantially shorter.

Faced with a barrage of consequences that can include extended downtime and the public compromise of private customer information, organizations often see taking their chances with a payment as most likely to have the best outcome for them. France is not the only national government that has high-profile members who disagree with this stance. The US Department of the Treasury toyed with the idea of fining those who make ransomware payments that wind up in the hands of sanctioned parties, though the country recently stopped short of taking ransomware payments off the table with its new executive order covering federal cybersecurity measures.

The debate emerges as the nature of ransomware attacks is shifting to favor large organizations that carry substantial cyber insurance coverage. The days of “spray and pray” ransomware attacks are coming to a close, as threat actors find it much more lucrative to specifically target organizations with the ability to cover big demands. That includes those that are known to hold cyber insurance policies that cover payments.

The FBI and the Australian Australian Cyber Security Centre (ACSC) had issued an advisory about Avaddon not long before the cyber insurance carrier was hit, which contained fairly standard mitigation recommendations for ransomware attacks: have redundant backups for critical data that are stored both online and offline, using two-factor authentication with strong passwords, and monitoring the publication of compromised VPN login credentials.

Update (May 29, 2021): Included information that ransomware attack may have happened before the policy change according to the Financial Times.