CNA Financial Paid $40 Million in Ransom After March Cyberattack
CNA Financial Corp., one of the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack,
according to individuals with knowledge of the attack.
The Chicago-based company paid the hackers approximately two weeks after a trove of data was stolen. In addition, CNA officials were locked out of their network, according to people familiar with the attack who asked not to be named.
In a statement, a CNA spokesperson said the company followed the law. She said the company consulted and shared
intelligence about the attack and the hacker’s identity with the FBI and the Treasury Department’s Office of Foreign Assets Control, which said last year that facilitating ransom payments to hackers could pose sanctions risks.
“CNA is not commenting on the ransom,” a spokeswoman for CNA said. “CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”
In a security incident update published on May 12, CNA said it did “not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits – is stored, were impacted.”
Ransomware attacks -- and particularly payments -- are rarely disclosed so it’s difficult to know what the biggest ransoms have been. The average payment in 2020 was $312,493, according to Palo Alto Networks, a 171% increase over the previous year. The $40 million payment is bigger than any previously disclosed payments to hackers, according to three people familiar with ransomware negotiations.
The CNA hackers used malware called Phoenix Locker, a variant of ransomware dubbed ‘Hades.’ Hades was created by a Russian cybercrime syndicate known as Evil Corp., according to cybersecurity experts. Evil Corp. was sanctioned by the U.S. in 2019. However, attributing attacks can be difficult because hacking groups can share code or sell malware to one another.
CNA, which offers cyber insurance, said its investigation concluded that the hackers were a group called Phoenix that isn’t subject to U.S. sanctions.
Disclosure of the payment is likely to draw the ire of lawmakers and regulators already unhappy that U.S. companies are making large payouts to criminal hackers who over the last year have targeted hospitals, drug makers, police forces and other entities critical to public safety. The FBI discourages organizations from paying ransom because it encourages additional attacks and doesn’t guarantee data will be returned.
Ransomware is a type of malware that encrypts a victim’s data. Cybercriminals using ransomware often steal the data too. The hackers then ask for a payment to unlock the files and promise not to leak stolen data. In recent years, hackers have been targeting victims with cyber insurance policies and huge volumes of sensitive consumer data that make them more likely to pay a ransom, according to cybersecurity experts.
Last year was a banner year for ransomware groups, according to a task-force of security experts and law enforcement agencies which estimated that victims paid about $350 million in ransom last year, a 311% increase over 2019. The task force recommended 48 actions that the Biden administration and private sector could take to mitigate such attacks, including better regulation of the digital currency market used to make ransom payments.
The report, prepared by the Institute for Security and Technology, was delivered to the White House days before Colonial Pipeline Co. was compromised in a ransomware attack that led to fuel shortages and long lines at gas stations along the East Coast of the U.S. Bloomberg reported that Colonial paid the hackers nearly $5 million shortly after the attack; Colonial Chief Executive Officer Joseph Blount, in an interview with the Wall Street Journal published on Wednesday, confirmed that the company paid the hackers -- $4.4 million in ransom.
According to the two people familiar with the CNA attack, the company initially ignored the hackers’ demands while pursuing options to recover their files without engaging with the criminals. But within a week, the company decided to start negotiations with the hackers, who were demanding $60 million. Payment was made a week later, according to the people.