PARIS -- Cybercriminals have hit four Asian subsidiaries of the Paris-based insurance company AXA with a ransomware attack, impacting operations in Thailand, Malaysia, Hong Kong and the Philippines, the insurer said.
The criminals claimed to have stolen 3 terabytes of data including medical records and communications with doctors and hospitals.
In Ireland, meanwhile, the national healthcare system struggled to restore IT systems that were all but paralyzed in a cyberattack last week by a different Russian-speaking ransomware group. That group is demanding US$20 million, according to the ransom negotiation page on its darknet site, which The Associated Press viewed.
The gang threatened Monday to "start publishing and selling your private information very soon."
The Irish government's decision not to pay the criminals means hospitals won't have access to patient records -- and must resort mostly to handwritten notes -- until painstaking efforts are complete to restore thousands of computer servers from backups.
AXA Partners, the Paris insurer's international arm, offered few details of the Asia attacks. It said in a brief statement Sunday that their full impact was being investigated and that steps would be "taken to notify and support all corporate clients and individuals impacted." It said the attack was recent, but did not specify when exactly. It said data in Thailand was accessed and that "regulators and business partners have been informed."
News of the Asia attack was first reported by the Financial Times. The attackers used a ransomware variant called Avaddon. In a post on their darknet leak site including some document samples, they claim to have stolen 3 terabytes of data including medical records, customer IDs and privileged communications with hospitals and doctors. Avaddon threatened to leak "valuable company documents" in 10 days if the company did not pay an unspecified ransom.
AXA, among Europe's top five insurers, said this month that it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.
The insurer said at the time that it was suspending the option in France only in response to growing concern that such reimbursements encourage cyber criminals to demand ransom from companies they prey on, crippling them with malware. Once victims of ransomware pay up, criminals provide software keys to decode the data. Last year, ransomware reached epidemic levels as criminals increasingly turned to "double extortion," stealing sensitive data before activating the encryption software that paralyzes networks and threatening to dump it online if they don't get paid.
It appears that's exactly what happened to the AXA subsidiaries and Ireland's health care system. In the latter case, the criminals claim to have stolen more than 700 gigabytes of personal data on patients and employees -- including home addresses and phone numbers -- as well as customer databases, payroll and other financial information. The criminals claimed to have spent two weeks in the network before executing the ransomware.
The top victims of ransomware are in the United States, followed by France, experts say. The extent of damage, and payouts, in Asian countries was not immediately clear. Like most top ransomware purveyors, Avaddon's ransomware is programmed not to target computers with Russian-language keyboards and enjoys safe harbor in former Soviet states.
The group that attacked Ireland's Health Service Executive, Conti, similarly enjoys Kremlin tolerance and is among the most prolific such gangs, recently attacking such high-profile targets as the school system in Broward County, Florida, which serves Fort Lauderdale and is among the U.S.'s largest school districts.
Irish Prime Minister Micheal Martin has refused to pay ransom despite an attack announced Friday that caused the country of 5 million to shut down and rebuild its public health care system's IT network.
The system's chief operations officer, Anne O'Connor, told a local radio reporter on Sunday that many cancer treatment sessions, X-rays and other radiology appointments had been canceled, describing perhaps the worst impact to date on a healthcare system from ransomware.
"There's not much back up and running," yet, O'Connor said of the IT network, adding that data on thousands of servers would need to be rebuilt from backups. "It's going to be a slow process."
"All of our diagnostic capability in terms of radiology have gone," she said. "We have no capability now to look back at any previous tests, any previous scans. We can't order lab tests or radiology electronically."
She said hospitals had resorted to "handwritten notes. We have people in hospitals delivering pieces of paper around with lab results, et cetera."
Ransomware attacks returned to headlines this month after hackers struck the United States' largest fuel pipeline, the Colonial Pipeline, and the company shut it down for days to contain the damage.
The ransomware syndicates that have had the biggest impact are so-called "big-game" hunters like Avaddon and Conti that identify and target lucrative victims. They lease their "ransomware-as-a-service" to affiliates they recruit who do most of the heavy-lifting -- taking more risk and a higher share of the profits.
------
Bajak reported from Boston.