CNA is the seventh largest commercial insurer in the United States as of 2018. CNA provides property and casualty insurance products and services for businesses and professionals in the U.S., Canada, Europe and Asia.
CNA itself is 90% owned by a holding company, Loews Corporation. This holding company also has interests in offshore oil and gas drilling rigs, natural gas transmission pipelines, oil and gas exploration, hotel operations and package manufacturing.
CNA Financial, one of the largest US insurance companies, paid $40 million to free itself from a ransomware attack that occurred in March, according to a report from Bloomberg. The hackers reportedly demanded $60 million when negotiations started about a week after some of CNA’s systems were encrypted, and the insurance company paid the lower sum a week later.
If the $40 million figure is accurate, CNA’s payout would rank as one of the highest ransomware payouts that we know about, though that’s not for lack of trying by hackers: both Apple and Acer had data that was compromised in separate $50 million ransomware demands earlier this year. It also seems like the hackers are looking for bigger payouts: just this week we saw reports that Colonial Pipeline paid a $4.4 million ransom to hackers. While that number isn’t as staggering as the demands made to CNA, it’s still much higher than the estimated average enterprise ransomware demand in 2020.
Law enforcement agencies recommend against paying ransoms, saying that payouts will encourage hackers to keep asking for higher and higher sums. For its part, CNA told Bloomberg that it wouldn’t comment on the ransom, but that it had “followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.” In an update from May 12, CNA says that it believes its policyholders’ data were unaffected.
According to Bloomberg, the ransomware that locked CNA’s systems was Phoenix Locker, a derivative of another piece of malware called Hades. Hades was allegedly created by a Russian group with the Mr. Robot-esque name Evil Corp.
***
Ransomware Attack Payment
Ransomware attack payments are rarely disclosed. According to Palo Alto Networks, the average payment in 2020 was $312,493, and it is a 171% increase from the payments that companies made in 2019.
The $40 million payment made by CNA Financial is bigger than any previously disclosed payments to hackers, The Verge reported.
Disclosure of the payment is likely to draw the ire of lawmakers and regulators that are already unhappy that companies from the United States are making large payouts to criminal hackers who, over the last year, have targeted hospitals, drug makers, police forces, and other entities that are critical to public safety.
The FBI discourage organizations from paying ransom because it encourages additional attacks and does not guarantee that data will be returned.
Ransomware is a type of malware that encrypts the data of the victim. Cybercriminals using ransomware usually steal the data too. The hackers, then, ask for a payment to unlock the files and promise not to leak stolen data. In recent years, hackers have been targeting victims with cyber insurance policies and huge volumes of sensitive consumer data that make them more likely to pay a ransom.
Last year was a banner year for ransomware groups, with security experts and law enforcement agencies estimating that victims paid about $350 million in ransom. The cybercriminals took advantage of the pandemic, a time when hospitals, medical companies, and insurance companies were the busiest.
As per Bloomberg’s report, CNA Financial initially ignored the hackers’ demands while pursuing options to recover their files without engaging with the criminals. However, within a week, the company decided to start negotiations with the hackers, who were demanding $60 million.
Payment was made a week later. source
The ransomware cyberattack interrupted the company’s employee and customer services for three days as the firm closed down “out of an abundance of caution” to prevent further damage. Certain CNA systems were impacted, including corporate email.