Ransomware hits AXA units in Asia, hurts Ireland healthcare

FILE - In this Thursday, Feb. 21, 2019, file photo, people stand in front of the logo of AXA Group prior to the company's 2018 annual results presentation, in Paris. Cybercriminals have hit four Asian subsidiaries of the Paris-based insurance company AXA with a ransomware attack, impacting operations in Thailand, Malaysia, Hong Kong and the Philippines, the insurer said. (AP Photo/Thibault Camus, File)
FILE - In this Thursday, Feb. 21, 2019, file photo, people stand in front of the logo of AXA Group prior to the company's 2018 annual results presentation, in Paris. Cybercriminals have hit four Asian subsidiaries of the Paris-based insurance company AXA with a ransomware attack, impacting operations in Thailand, Malaysia, Hong Kong and the Philippines, the insurer said. (AP Photo/Thibault Camus, File) (Copyright 2019 The Associated Press. All rights reserved)

PARIS – Cybercriminals have hit four Asian subsidiaries of the Paris-based insurance company AXA with a ransomware attack, impacting operations in Thailand, Malaysia, Hong Kong and the Philippines, the insurer said.

The criminals claimed to have stolen 3 terabytes of data including medical records and communications with doctors and hospitals.

In Ireland, meanwhile, the national healthcare system struggled to restore IT systems that were all but paralyzed in a cyberattack last week by a different Russian-speaking ransomware group. That group is demanding $20 million, according to the ransom negotiation page on its darknet site, which The Associated Press viewed.

The gang threatened Monday to “start publishing and selling your private information very soon.”

The Irish government's decision not to pay the criminals means hospitals won't have access to patient records — and must resort mostly to handwritten notes — until painstaking efforts are complete to restore thousands of computer servers from backups.

AXA Partners, the Paris insurer's international arm, offered few details of the Asia attacks. It said in a brief statement Sunday that their full impact was being investigated and that steps would be "taken to notify and support all corporate clients and individuals impacted.” It said the attack was recent, but did not specify when exactly. It said data in Thailand was accessed and that “regulators and business partners have been informed.”

News of the Asia attack was first reported by the Financial Times. The attackers used a ransomware variant called Avaddon. In a post on their darknet leak site including some document samples, they claim to have stolen 3 terabytes of data including medical records, customer IDs and privileged communications with hospitals and doctors. Avaddon threatened to leak “valuable company documents” in 10 days if the company did not pay an unspecified ransom.

AXA, among Europe’s top five insurers, said this month that it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.