Ransomware, Content

Insurer CNA Paid Hackers $40M for Ransomware Decryption


CNA Financial, among the largest insurers in the U.S. has paid some $40 million to ransomware hijackers to unlock its data and restore its network systems.

Details about the CNA Financial ransomware attack first surfaced in March 2021.

The astronomical amount the cyber roughnecks squeezed from CNA Financial is thought to be the largest ransom demand met by victims to date. For perspective, the CNA heist is roughly 10 times the $4.4 million that hackers who hit the Colonial Pipeline raked in from an early May 2021 payment.

CNA, which is the seventh largest commercial insurance provider in the world, coughed up the lofty sum two weeks after hackers stole data and locked up its systems in early March, Bloomberg reported. The energy company resumed operations on March 12, 2021.

A new version of the Phoenix CryptoLocker malware was used by the CNA attackers, who are believed to be tied to the Russian-backed Evil Corp cyber syndicate. The malware apparently encrypted data on over 15,000 machines on CNA's company network, E Hacking News reported. Remote-working employees' computers connected to the company’s private network during the attack were also hobbled.

CNA Financial: No Comment About Alleged Ransomware Payment

Actual ransomware payoffs are notoriously difficult to nail down because victims fear, rightfully so, that such information can embolden other cyber crews, alarm stakeholders and influence competitive landscapes. Federal law enforcement along with cybersecurity specialists have repeatedly counseled against meeting cyber extortionists’ demands, although overall guidance is mixed.

The Chicago-based CNA hasn’t formally commented on the attack let alone the payoff other than to say it has complied with the law. The insurer has consulted and shared intelligence about the attack and the hacker’s identity with the Federal Bureau of Investigation (FBI) and the Treasury Department’s Office of Foreign Assets Control, a spokesperson told Bloomberg. “CNA is not commenting on the ransom,” the spokesperson said. “CNA followed all laws, regulations, and published guidance, including OFAC’s (Office of Foreign Assets Control) 2020 ransomware guidance, in its handling of this matter.”

At this point, it’s not entirely clear how the freeze-out will reverberate to CNA’s clients. In a security incident update posted on May 12, CNA said it did “not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data, including policy terms and coverage limits is stored, were impacted.”

Ransomware Payments: Still Climbing, Research Finds

Ransom payments have spiked precipitously in the past two years as the type of attacks have mutated from multiple, smaller forays to so-called “big game” cyber robberies aimed at choice targets such as governments, hospitals and schools.

According to Coveware's Quarterly Ransomware Report, the average ransom payment in the first three months of this year was $220,298, up 43 percent from $154,108 in the final three months of 2020. Coveware does not list Phoenix Locker among the top 10 ransomware variants in Q1 2021, a period dominated by Sodinokibi, which commands 14 percent of a crowded market. Figures from cybersecurity researchers at Palo Alto Networks are even more attention-getting, pegging the average ransom paid by victims in North America and Europe at $312,493 in 2020 for a 173 percent jump from $115,123 in 2019.

While ransomware had previously caught the federal government’s interest, it now has captured its full attention. Collectively and individually the Department of Homeland Security (DHS), the Department of Justice (DOJ) and Congressional members are sounding a loud clarion call warning of ransomware’s potential to hijack organizations in the public and private sector with losses reaching hundreds of millions of dollars. Biden administration officials have termed ransomware attacks a threat to national security and an epidemic. “The threat is real. The threat is upon us. The risk is to all of us,” DHS Secretary Alejandro Mayorkas said at a recent event.

In what's still regarded as the biggest ransomware attack to date--and a classic example of how cyber extortionists have changed tactics--the 2017 WannaCry malware unleashing caused worldwide chaos in one weekend by disabling systems used by more than 300,000 victims in 150 countries. No attacks of that magnitude have since followed.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.