You are here

You are here

AXA’s ransomware gambit comes back to bite

Richi Jennings Your humble blogwatcher, dba RJA
Rain on your wedding day

AXA’s Asian arm has been hit by a ransomware attack. The news comes days after AXA’s French HQ said it planned to stop writing cyber-insurance policies that pay out ransoms to hackers.

Isn’t it ironic—don’t you think? Well, life has a funny way of sneaking up on you … then everything blows up in your face. [You’re fired—Ed.]

Malheureusement, the timing isn’t quite as neat as the narrative suggests. In this week’s Security Blogwatch, we never let the facts get in the way of a good story.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Bucketheads prologue.

Like rain on your wedding day

An epic tag-team of Hannah Murphy, Ian Smith, John Reed, Stefania Palma, Primrose Riordan, and David Keohane report—Axa’s Asian operations hit in ransomware attack:

Axa Partners, an international arm of the Paris-based insurer, said … parts of its Asian operations were “recently the victim of a targeted ransomware attack.” … Criminals using ransomware called Avaddon said on Saturday that they had hacked the group’s Asia operations and stolen three terabytes of data.

In an apparent first for the industry, Axa said last week that it would suspend the writing of cyber insurance policies that refund the cost of ransom payments. … Insurers have been blamed by some officials for encouraging companies to pay out by offering such reimbursements. … Both the White House and the FBI advise against paying extortion fees, arguing that it only provides an incentive for more blackmail activities and funds criminal activity.

The data were taken from [AXA’s] units in Thailand, the Philippines, Hong Kong and Malaysia. [They] included customers’ personally identifiable information, medical records and claims, as well as data from hospitals and doctors … screenshots of IDs and passport pages, bank documents, hospital bills, and medical records of patients’ personal health conditions.

AXA Philippines said on its Facebook page that it was having “technical issues.”

The very definition of situational irony. Graham Cluley quips—Well, this is awkward:

One week after … AXA said that it would no longer be writing policies to cover ransomware payments, the company’s operations in Thailand, Malaysia, Hong Kong, and the Philippines have reportedly been hit by a ransomware attack. … No information has been shared regarding how large a ransom the Avaddon gang are demanding from AXA, or whether AXA has ruled out paying.


But like a bucket of cold water, Gareth Corfield spoils the irony narrative—Axa insurance offshoots pwned:

While the timing appears to raise a wry smile … the HQ policy change happened well after the attack.

Still, it concentrates the mind wonderfully. u/extreme4all suggests some practical steps we could take:

This all fits into the bigger picture of risk management:
  • Endpoint protection.
  • Regular Training of users: send them fake phishing & fake multifactor login, thats how they usually get in.
  • Show when mails come from outside … limit email groups and addresses that can be mailed to from outside.
  •  … Implement least privilege, most users have too much access.
  • Access reviews (6 month) and (privilege) access management.
  • Business continuity & Disaster Recovery planning, this should include regular testing.

Or just ban bitcoin? Lawrence patiently explains why that won’t work:

Even if possible, it … would change nothing about the fact that most companies’ IT security is shoddy due to decades of underinvestment. Industry espionage and hacking of vulnerable infrastructure is rampant. … How to improve the situation:
  • Commercial producers of security relevant software and internet connected hardware need to be held responsible to patch vulnerabilities in a timely fashion …
  • Companies in key industries need to be fined for not keeping their systems and software up to date
  • Security services need to shift their focus on defence … instead of stockpiling exploits …
  • Key industries need to have robust and at least daily backup procedures in place, and need to be able to recover all data within days …
  • Special protection for personal and health data. The usual stuff: encryption, access controls, anomaly detection, etc.

Hmm. … Which countries could Highpeak be referring to?

Modern day piracy but far less dangerous for the pirates. And sheltering in safe havens with the tacit approval of some countries. Some countries seem immune from hacking somehow—and not because they have better cyber defences.

Time for a colorful metaphor? u/hummelm10 is happy to oblige:

Insurance should cover ransomware (and the ensuing investigation, forensics costs, litigation, etc) because the costs aren’t just the ransom. … The insurance should only cover it though if the company has done their due diligence in securing the network, like logging, firewall audit, patching.

It’s like a car accident: if you drive headfirst into someone your insurance is going to tell you to get ****ed. If someone rear ends you while you’re at a stoplight then they’ll help.

Looking for the silver lining? A cloudy cantankerous swineherd cynically suggests one:

Come friendly ransomware and deliver us from robotic customer unservice.

Meanwhile, @kim_crawley shrugs as only a goth can shrug:

Cyberinsurance is a waste of money. Reallocate that part of your cybersecurity budget to hiring people and improving your network monitoring capabilities.

The moral of the story?

Insurance is the last line in the sand. There’s so much more in-depth defense you can do.

And finally

“Watch the Empire fall”

Hat tip: Jason Weiseberger

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: Corey Ann (cc:by-nd)

Keep learning

Read more articles about: SecurityData Security