The Thai affiliate of Paris-based insurance company AXA said Tuesday it is investigating a ransomware attack by Russian-speaking cybercriminals that has affected operations in Thailand, Malaysia, Hong Kong and the Philippines.

Meanwhile, a cyber attack on a public health provider in New Zealand took down information systems across five hospitals, forcing staff to cancel some elective surgeries and creating all sorts of other problems.

In Bangkok, Krungthai AXA said it has formed a team with AXA’s Inter Partner Assistance to urgently investigate the problem. It was unclear how long it might take to evaluate the exposure of personal data after the criminals claimed to have stolen 3 terabytes of data including medical records, customer IDs and privileged communications with hospitals and doctors.

Kanjana Anantasomboon, Asia vice president for corporate and internal communications at Krungthai-AXA Life Insurance, said the company handles some of its services inhouse, so only part, she declined to say how much, of its customer data was with Inter Partner Assistance’s claim service.

Other AXA affiliates in the Phlippines, Malaysia and Hong Kong did not respond to requests for comment.

AXA Partners, the Paris insurer’s international arm, has given few details. It said Sunday that the full impact of the attack was being investigated and that steps would be “taken to notify and support all corporate clients and individuals impacted.” It said the attack was recent, but did not specify when exactly. It said data in Thailand was accessed.

In New Zealand, Waikato District Health Board Chief Executive Kevin Snee said its emergency department was now only taking urgent patients. He said administrators were working to resolve the issue, but he gave no timeline for when the system might be restored.

Dr. Deborah Powell, the national secretary for two unions representing doctors and other health professionals, said the attack hit every part of the operation, with doctors unable to access clinical records to quickly assess patients.

Still, Powell said she didn’t believe patients were at extra risk because staff were using workarounds.

Hospital discharges were being done by hand, and a pager system to alert multiple doctors when a patient suffered a cardiac arrest that was down was replaced by a system of personal mobile numbers. People trying to contact patients were encouraged to try calling their cell phones.

Powell said she was told it was a ransomware attack but she didn’t have all the details. New Zealand’s Ministry of Health described it only as an “attempted cyber incident.”

It was unclear if the event was linked in any way to others, including a cyber attack that has nearly paralyzed Ireland’s national healthcare IT systems. Conti, a Russian-speaking ransomware group different from the one involved in the attack on AXA, was demanding $20 million, according to the ransom negotiation page on its darknet site, which The Associated Press viewed.

That gang threatened Monday to “start publishing and selling your private information very soon.”

The Irish government’s decision not to pay the criminals means hospitals won’t have access to patient records – and must resort mostly to handwritten notes – until painstaking efforts are complete to restore thousands of computer servers from backups.

News of the Asia attack was first reported by the Financial Times. The attackers used a ransomware variant called Avaddon. Avaddon threatened to leak “valuable company documents” in 10 days if the company did not pay an unspecified ransom.

So-called “big-game” hunters like Avaddon and Conti identify and target lucrative victims, leasing their “ransomware-as-a-service” to affiliates they recruit who do most of the heavy-lifting – taking more risk and a higher share of the profits.

AXA, among Europe’s top five insurers, said this month that it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals. It said it did so out of concern that such reimbursements encourage cyber criminals to demand ransom from companies they prey on, crippling them with malware. Once victims of ransomware pay up, criminals provide software keys to decode the data.

Ransomware attacks returned to headlines this month after hackers struck the United States’ largest fuel pipeline, the Colonial Pipeline. The company shut it down for days to contain the damage.

Last year, ransomware reached epidemic levels as criminals increasingly turned to “double extortion,” stealing sensitive data before activating the encryption software that paralyzes networks and threatening to dump it online if they don’t get paid.

That appears to be what happened to the AXA subsidiaries and Ireland’s health care system.

The top victims of ransomware are in the United States, followed by France, experts say. The extent of damage and payouts in Asian countries is unclear. Like most top ransomware purveyors, Avaddon’s ransomware is programmed not to target computers with Russian-language keyboards and enjoys safe harbor in former Soviet states.

Conti also enjoys Kremlin tolerance and is among the most prolific of such gangs. It recently attacked the school system in Broward County, Florida, which serves Fort Lauderdale and is one of the largest U.S. school districts.

(Nick Perry contributed from Wellington, New Zealand. Elaine Ganley in Paris and Frank Bajak in Boston also contributed to this report.)

Topics USA Cyber Russia AXA XL