Insurance Firm AXA Crippled By Avaddon Ransomware Days After Ceasing Ransomware Insurance

Avaddon Ransomware has taken down several branches of insurance giant AXA. Branches in Thailand, Malaysia, Hong Kong, and the Philippines have fallen victim to the ransomware strain which has been stealing headlines in May. The Avaddon Ransomware group has claimed on their Dark Web leak site that they have stolen 3TB worth of sensitive data from AXA’s operations in Asia. Furthermore, the Avaddon Ransomware hackers are conducting an ongoing DDOS campaign against AXA’s global websites, making them inaccessible. Presumably, this will continue until the ransom is paid or the hackers otherwise stop their attacks. still inaccessible days after the initial attack

There is a sense of irony in AXA getting hit – Less than a week before the attack, AXA stated that they would be dropping reimbursement for ransomware extortion payments when underwriting cyber-insurance policies in France.

The Avaddon ransomware gang first announced in January 2021 that they will launch DDoS attacks to take down victims’ sites or networks until they reach out and begin negotiating to pay the ransom.

The Avaddon gang also threatened AXA that the insurance company had about ten days to communicate and cooperate with them, after which they would leak AXA’s valuable documents.

The company has hired a forensic team to investigate the incident and said it notified business partners as well as regulators while it prepares to support all of the clients who may have been impacted. 

The group claims to have obtained 3 TB of data belonging to AXA including:

  • customer medical reports (including those containing sexual health diagnosis)
  • customer claims
  • payments to customers
  • customers’ bank account scanned documents
  • material restricted to hospitals and doctors (private fraud investigations, agreements, denied reimbursements, contracts)
  • Identification documents such as National ID cards, passports, etc.
Message on Avaddons’ leak site

Avaddon is a Ransomware as a Service (RaaS) operation that asks affiliates to follow certain rules and pays each one of them with 65% of the ransom payments they bring in, with the operators getting a 35% share.

Avaddon are actively leaking documents until the ransom is paid, as seen by passport leaks on their website.

The Avaddon ransomware gang follows the same MO as other ransomware groups such as breaching the security of its target, exfiltrating data and locking the files on the victim’s system, and demand ransom payment for a decryption key.

Avaddon ransomware samples were first found and identified in February 2019, with Avaddon starting the recruitment of affiliates in June 2020 after the launch of a massive spam campaign that was targeting users worldwide.

The attacks comes days after SaferNet reported on a warning from the Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) on global attack campaign being carried out by the gang.

Ransomware attacks on organizations continue to grow and cause disruptions for many with attackers demanding exorbitant ransom payments.

AXA has not yet commented on the ransom amount demanded by the Avaddon Ransomware gang.

Avaddon Ransomware Analysis

The analysis of Avaddon Ransomware was provided by TrendMicro.

Avaddon Ransomware was initially detected as Ransom.Win32.AVADDON.YJAF-A. A trojan (detected as Trojan.JS.AVADDON.YJAF-A) downloads the ransomware from malicious sites and runs them on the system. This has been reported in a series of twitter posts by TMMalAnalyst.

The ransomware is propagated through emails with an attachment named IMG{6 random number} that contains a JavaScript file named IMG{6 random number}.jpg.js.

Avaddon Sample Email

As seen in the preceding figure, the email body contains a single smiley. The emails for the Avaddon campaign also follow the footsteps of past malware campaigns that use particular subjects to spark the curiosity of the users, thus prompting them to open the message and download the attachment. Most of these emails have photo-related subjects, which might be particularly enticing for users at a time when gadgets with built-in cameras have now become widely available. These subjects include “Look at this photo!”, “You look good here”, “Is this you?” and similar enticing lines.

After the attachment is downloaded and ran, it uses a PowerShell command and the BITSAdmin command-line tool to download and run the ransomware payload. After this, the affected users will see that the ransomware has encrypted the files and appended them with the .avdn file extension. Users will see that their system desktop’s wallpaper has been automatically changed to an image that states that “all your files have been encrypted” and refers to the ransom note: “Instruction 270015-readme.html” (following the {Encrypted Directory}{random numbers}-readme.html format).

Victims wallpaper after infection

The ransom note gives instructions on how the affected user can recover the encrypted files.

Note left by Avaddon Ransomware

This ransomware encrypts files found in the following folders:

  • Program Files\Microsoft\Exchange Server
  • Program Files (x86)\Microsoft\Exchange Server
  • Program Files\Microsoft SQL Server
  • Program Files (x86)\Microsoft SQL Server

It adds the following processes that deletes backup copies of the system, making it difficult to restore:

  • wmic.exe SHADOWCOPY /nointeractive
  • wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  • bcdedit.exe /set {default} recoveryenabled No
  • bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  • vssadmin.exe Delete Shadows /All /Quiet

It terminates services and processes, many of which are related to scanning, storing and retrieving files, and scheduling tasks.


The attack vector for Avaddon Ransomware is extremely common – A phishing email intended to trick the user into opening a file. It is important that business owners and family’s exercise caution when it comes to opening emails from unknown senders, and that employees and family members are educated to understand the risks of cybersecurity.

Sometimes phishing emails will be successful, no matter how well the human is trained to spot them. To avoid falling into this trap, use SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply

Your email address will not be published. Required fields are marked *