Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Insurance Giant CNA Pays $40 Million After Ransomware Attack

May 25, 2021

Bloomberg reported on May 20 that CNA Financial Corp., one of the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack.

It reportedly paid the hackers approximately two weeks after a great deal of company data was stolen, and CNA officials were locked out of their network.

A CNA spokesperson said the company consulted and shared intelligence about the attack and the hacker’s identity with the FBI and the Treasury Department’s Office of Foreign Assets Control, which said last year that facilitating ransom payments to hackers could pose sanctions risks.

“CNA is not commenting on the ransom,” spokeswoman Cara McCall said. “CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”

In a security incident update published on May 12, CNA said it did “not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits – is stored, were impacted.”

Companies rarely talk about ransomware attacks or payments unless they become public, so we can only guess about some of the statistics. The average payment in 2020 was $312,493, according to Palo Alto Networks, a 171% increase over the previous year. The $40 million payment is bigger than any previously disclosed payments to hackers, according to three people familiar with ransomware negotiations.

The CNA hackers used malware called Phoenix Locker, a variant of ransomware dubbed ‘Hades.’ Hades was created by a Russian cybercrime syndicate known as Evil Corp., according to cybersecurity experts. Evil Corp. was sanctioned by the U.S. in 2019. However, attributing attacks can be difficult because hacking groups can share code or sell malware to one another.

CNA, which sells cyber insurance, said its investigation concluded that the hackers were a group called Phoenix that isn’t subject to U.S. sanctions.

Lawmakers and regulators are not likely to be happy as they have been publicly critical of U.S. companies who made large payouts to criminal hackers over the last year after cybercriminals targeted hospitals, drug makers, police forces and other entities critical to public safety. The FBI discourages organizations from paying ransoms because that encourages additional attacks – and of course there is no guarantee data will be restored or that attackers won’t keep a copy of stolen data.

A task force of security experts and law enforcement agencies estimated that victims paid about $350 million in ransom in 2020, a 311% increase over 2019. The task force recommended 48 actions that the Biden administration and private sector could take to mitigate such attacks, including stricter regulation of the digital currency market used to make ransom payments.

The report, prepared by the Institute for Security and Technology, was delivered to the White House days before Colonial Pipeline was the victim of a ransomware attack resulting in fuel shortages and long lines at gas stations along the East Coast. Bloomberg reported that Colonial paid the hackers nearly $5 million shortly after the attack. Colonial Chief Executive Officer Joseph Blount, in an interview with the Wall Street Journal, confirmed that the company paid the hackers $4.4 million in ransom.

According to two people familiar with the CNA attack, CNA initially ignored the hackers’ demands and tried to recover their files without dealing with the criminals. But within a week, the company started negotiations with the hackers, who were demanding $60 million. The $40 million payment was reportedly made a week later.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

Insurance Giant CNA Pays $40 Million After Ransomware Attack

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer