Ride the Lightning
Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.
Insurance Giant CNA Crippled by Ransomware
April 1, 2021
Bleeping Computer reported on March 25 that insurance giant CNA was hit by a ransomware attack using a new variant called Phoenix CryptoLocker that is likely linked to the Evil Corp hacking group.
CNA issued a statement confirming that they had suffered a cyber attack:
“On March 21, 2021, CNA determined that it sustained a sophisticated cybersecurity attack. The attack caused a network disruption and impacted certain CNA systems, including corporate email.”
Sources familiar with the attack told BleepingComputer that the hackers deployed the ransomware on CNA’s network on March 21, where it encrypted over 15,000 devices on their network.
It also encrypted the computers of employees working remotely who were logged into the company’s VPN at the time of the attack.
Evil Corp historically used the WastedLocker ransomware when conducting attacks against compromised organizations. Since the US government sanctioned the hacking group in 2019, most ransomware negotiation firms would no longer facilitate WastedLocker ransom payments to avoid facing fines or legal action.
According to a recent CrowdStrike report, the Evil Corp hacking group switched to a new ransomware family called Hades to bypass the US sanctions. However, CrowdStrike’s analysis showed that Hades is simply a rebranded version of their previously used WastedLocker ransomware. The new Phoenix Locker ransomware used in the CNA attack is believed to be another Evil Corp spinoff.
CNA told Bleeping Computer “The threat actor group, Phoenix, responsible for this attack, is not a sanctioned entity and no U.S. government agency has confirmed a relationship between the group that attacked CNA and any sanctioned entity. We have notified the FBI of this incident and are actively cooperating with them as they conduct their investigation of the incident.”
Cyberinsurance companies are now a valuable target for hackers – if they know who has how much cyberinsurance, they know how much ransom the insurance company might be willing to pay.
It is not known if the ransomware operators exfiltrated unencrypted files before encrypting CNA’s devices.
To me, it sure seems likely.
CNA’s website has the following notice posted as of 10 a.m. Wednesday, March 31.
“On March 21, 2021, CNA determined that it sustained a sophisticated cybersecurity attack. The attack caused a network disruption and impacted certain CNA systems, including corporate email.
Upon learning of the incident, we immediately engaged a team of third- party forensic experts to investigate and determine the full scope of this incident, which is ongoing. We have alerted law enforcement and will be cooperating with them as they conduct their own investigation.
Out of an abundance of caution, we have disconnected our systems from our network, which continue to function. We’ve notified employees and provided workarounds where possible to ensure they can continue operating and serving the needs of our insureds and policyholders to the best of their ability.
The security of our data and that of our insureds and other stakeholders is of the utmost importance to us. Should we determine that this incident impacted our insureds’ or policyholders’ data, we’ll notify those parties directly.
We have established the following dedicated email inbox to contact us with Surety underwriting, claim and operational questions so that we can follow-up with you to address your customer needs. While this incident has impacted our ability to process transactions, we are continuing to explore workarounds and progress our efforts to restore access to our Surety systems.
To submit a surety question or to report a surety claim, please contact: .
While our processing capabilities for business placed through our Sioux Falls office have been impacted, we continue with our full capabilities to entertain and authorize all bond requests for our agents and broker partners with their own bond issuance capabilities. Please contact us via the referenced email box or call your local Branch surety representatives with any questions or concerns.
We are committed to keeping you apprised of the latest developments. Thank you for your patience.”
I suspect that all insurance companies are now battening down their hatches in anticipation of further attacks.
Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson