New Zealand Hospital System Limited to Caring for Urgent Patients After Ransomware Attack

A cyberattack on a public health provider in New Zealand shut down information systems across five hospitals. Dr. Deborah Powell, the national secretary for two unions representing doctors and other health professionals, told the Associated Press that the attack hit every part of the operation but said patients were not at extra risk because doctors were using workarounds.

Powell said she was told this was a ransomware attack but had no other details. New Zealand's Ministry of Health described it only as an "attempted cyber incident."

Waikato District Health Board Chief Executive Kevin Snee told the AP that its emergency department was taking only urgent patients and could not give a timeline for when the system might be restored. The attack comes as Paris-based insurance company AXA said it is investigating a ransomware attack by Russian-speaking cybercriminals that affected operations in Thailand, Malaysia, Hong Kong and the Philippines.

AXA Cyber Attack
The Thai affiliate of Paris-based insurance company AXA said on May 18 it is investigating a ransomware attack by Russian-speaking cybercriminals that has affected operations in Thailand, Malaysia, Hong Kong and the Philippines. Thibault Camus, File)/AP Photo

For more reporting from the Associated Press, see below:

Powell said hospital discharges were being done by hand, and a pager system to alert multiple doctors when a patient suffered a cardiac arrest that was down was replaced by a system of personal mobile numbers. People trying to contact patients were encouraged to try calling their cell phones.

It was unclear if the event was linked in any way to others, including a cyberattack that has nearly paralyzed Ireland's national healthcare IT systems. Conti, a Russian-speaking ransomware group different from the one involved in the attack on AXA, was demanding $20 million, according to the ransom negotiation page on its darknet site, which the AP viewed.

That gang threatened Monday to "start publishing and selling your private information very soon."

The Irish government's decision not to pay the criminals means hospitals won't have access to patient records—and must resort mostly to handwritten notes—until painstaking efforts are complete to restore thousands of computer servers from backups.

In Bangkok, Krungthai AXA said it has formed a team with AXA's Inter Partner Assistance to urgently investigate the problem. It was unclear how long it might take to evaluate the exposure of personal data after the criminals claimed to have stolen 3 terabytes of data including medical records, customer IDs and privileged communications with hospitals and doctors.

Kanjana Anantasomboon, assistant vice president for corporate and internal communications at Krungthai-AXA Life Insurance, said the company handles some of its services in-house, so only part, she declined to say how much, of its customer data was with Inter Partner Assistance's claim service.

Other AXA affiliates in the Philippines, Malaysia and Hong Kong did not respond to requests for comment.

AXA Partners, the Paris insurer's international arm, has given few details. It said Sunday that the full impact of the attack was being investigated and that steps would be "taken to notify and support all corporate clients and individuals impacted." It said the attack was recent, but did not specify when exactly. It said data in Thailand was accessed.

News of the Asia attack was first reported by the Financial Times. The attackers used a ransomware variant called Avaddon. Avaddon threatened to leak "valuable company documents" in 10 days if the company did not pay an unspecified ransom.

So-called big-game hunters like Avaddon and Conti identify and target lucrative victims, leasing their "ransomware-as-a-service" to affiliates they recruit who do most of the heavy lifting—taking more risk and a higher share of the profits.

AXA, among Europe's top five insurers, said this month that it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals. It said it did so out of concern that such reimbursements encourage cyber criminals to demand ransom from companies they prey on, crippling them with malware. Once victims of ransomware pay up, criminals provide software keys to decode the data.

Ransomware attacks returned to headlines this month after hackers struck the United States' largest fuel pipeline, the Colonial Pipeline. The company shut it down for days to contain the damage.

Last year, ransomware reached epidemic levels as criminals increasingly turned to "double extortion," stealing sensitive data before activating the encryption software that paralyzes networks and threatening to dump it online if they don't get paid.

That appears to be what happened to the AXA subsidiaries and Ireland's health care system.

The top victims of ransomware are in the United States, followed by France, experts say. The extent of damage and payouts in Asian countries is unclear. Like most top ransomware purveyors, Avaddon's ransomware is programmed not to target computers with Russian-language keyboards and enjoys safe harbor in former Soviet states.

Conti also enjoys Kremlin tolerance and is among the most prolific of such gangs. It recently attacked the school system in Broward County, Florida, which serves Fort Lauderdale and is one of the largest U.S. school districts.