Insurance Firm AXA Crippled By Avaddon Ransomware Days After Ceasing Ransomware Insurance

Avaddon Ransomware has taken down several branches of insurance giant AXA. Branches in Thailand, Malaysia, Hong Kong, and the Philippines have fallen victim to the ransomware strain which has been stealing headlines in May. The Avaddon Ransomware group has claimed on their Dark Web leak site that they have stolen 3TB worth of sensitive data from AXA’s operations in Asia. Furthermore, the Avaddon Ransomware hackers are conducting an ongoing DDOS campaign against AXA’s global websites, making them inaccessible. Presumably, this will continue until the ransom is paid or the hackers otherwise stop their attacks.

 

There is a sense of irony in AXA getting hit – Less than a week before the attack, AXA stated that they would be dropping reimbursement for ransomware extortion payments when underwriting cyber-insurance policies in France.

The Avaddon ransomware gang first announced in January 2021 that they will launch DDoS attacks to take down victims’ sites or networks until they reach out and begin negotiating to pay the ransom.

The Avaddon gang also threatened AXA that the insurance company had about ten days to communicate and cooperate with them, after which they would leak AXA’s valuable documents.

The company has hired a forensic team to investigate the incident and said it notified business partners as well as regulators while it prepares to support all of the clients who may have been impacted. 

The group claims to have obtained 3 TB of data belonging to AXA including:

• customer medical reports (including those containing sexual health diagnosis)
• customer claims
• payments to customers
• customers’ bank account scanned documents
• material restricted to hospitals and doctors (private fraud investigations, agreements, denied reimbursements, contracts)
• Identification documents such as National ID cards, passports, etc.

Avaddon is a Ransomware as a Service (RaaS) operation that asks affiliates to follow certain rules and pays each one of them with 65% of the ransom payments they bring in, with the operators getting a 35% share.

The Avaddon ransomware gang follows the same MO as other ransomware groups such as breaching the security of its target, exfiltrating data and locking the files on the victim’s system, and demand ransom payment for a decryption key.

Avaddon ransomware samples were first found and identified in February 2019, with Avaddon starting the recruitment of affiliates in June 2020 after the launch of a massive spam campaign that was targeting users worldwide.

The attacks comes days after SaferNet reported on a warning from the Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) on global attack campaign being carried out by the gang.

Ransomware attacks on organizations continue to grow and cause disruptions for many with attackers demanding exorbitant ransom payments.

AXA has not yet commented on the ransom amount demanded by the Avaddon Ransomware gang.

Avaddon Ransomware Analysis

The analysis of Avaddon Ransomware was provided by TrendMicro.

Avaddon Ransomware was initially detected as Ransom.Win32.AVADDON.YJAF-A. A trojan (detected as Trojan.JS.AVADDON.YJAF-A) downloads the ransomware from malicious sites and runs them on the system. This has been reported in a series of twitter posts by TMMalAnalyst.

The ransomware is propagated through emails with an attachment named IMG{6 random number}.jpg.js.zip that contains a JavaScript file named IMG{6 random number}.jpg.js.

As seen in the preceding figure, the email body contains a single smiley. The emails for the Avaddon campaign also follow the footsteps of past malware campaigns that use particular subjects to spark the curiosity of the users, thus prompting them to open the message and download the attachment. Most of these emails have photo-related subjects, which might be particularly enticing for users at a time when gadgets with built-in cameras have now become widely available. These subjects include “Look at this photo!”, “You look good here”, “Is this you?” and similar enticing lines.

After the attachment is downloaded and ran, it uses a PowerShell command and the BITSAdmin command-line tool to download and run the ransomware payload. After this, the affected users will see that the ransomware has encrypted the files and appended them with the .avdn file extension. Users will see that their system desktop’s wallpaper has been automatically changed to an image that states that “all your files have been encrypted” and refers to the ransom note: “Instruction 270015-readme.html” (following the {Encrypted Directory}{random numbers}-readme.html format).

The ransom note gives instructions on how the affected user can recover the encrypted files.

This ransomware encrypts files found in the following folders:

• Program Files\Microsoft\Exchange Server
• Program Files (x86)\Microsoft\Exchange Server
• Program Files\Microsoft SQL Server
• Program Files (x86)\Microsoft SQL Server

It adds the following processes that deletes backup copies of the system, making it difficult to restore:

• wmic.exe SHADOWCOPY /nointeractive
• wbadmin DELETE SYSTEMSTATEBACKUP
• wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
• bcdedit.exe /set {default} recoveryenabled No
• bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
• vssadmin.exe Delete Shadows /All /Quiet

It terminates services and processes, many of which are related to scanning, storing and retrieving files, and scheduling tasks.