Possibly the Highest Ransomware Payment Ever: CNA reportedly paid $40 million to hackers

by | July 23, 2021 | Cybersecurity News

One of the biggest US insurance companies, CNA, paid a ransom worth $40 million to attackers after a massive cyberattack, the highest ransomware payment ever reported.

One of the biggest US insurance companies, CNA, paid a ransom worth $40 million to attackers after a massive cyberattack, the highest ransomware payment ever reported.

How the Ransomware Attack Happened

The attack took place on March 21st, and it blocked any and all access to the company’s network and stole its data. CNA has stated that it had been a “sophisticated cybersecurity attack” that had massively “impacted certain CNA systems.”

In response to the incident, the insurance company called in outside experts and law enforcement, launching an investigation regarding the attack.

CNA Negotiated a Ransomware Payment of $40 million behind closed doors

A week into the investigation, CNA began negotiating unofficially with the attackers. The one responsible for the attack had initially solicited a jaw-dropping payment of $60 million. However, after further negotiations, CNA ended up paying them $40 million later in March. This is the largest ransomware payment ever reported.

The attack targeting CNA came shortly after the Colonial Pipeline incident when the largest fuel provider in the US suffered major operations disruption and paid hackers $4.4 million in exchange for a decryptor that proved to be too slow.

Colonial Pipeline made a ransomware payment to hackers worth $4.4 million only to receive in exchange a decryptor too slow.
Colonial Pipeline paid $4.4 million in ransom after being hit by a massive cyberattack.

The ransomware payment made by Colonial Pipeline is, indeed, much less significant compared to CNA’s, but the cost of ransomware attacks seems to be increasing. 2019’s average ransomware payment of $115,123 jumped to $312,493 in 2020, according to Palo Alto Network, a cybersecurity company.

Although paying the ransom seems to be the easy way out after an attack, the FBI strongly advises against it, as it could instead encourage attackers to strike again.

CNA’s Statements on the Ransomware Payment

CNA stated on May 12 that “systems of record, claims systems, or underwriting systems where the majority of policyholder data is stored” were not compromised by the ransomware attack.

A CNA representative stated that the insurance company was unwilling to make any official comments on the ransom. Still, they assured that the negotiations and the payment “followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”

In addition, the spokesperson noted that the attackers were part of a hacking group known as “Pheonix.” The ransomware used to compromise CNA is Pheonix Locker. The malicious software is a spin-off of “Hades,” another malware that was developed by Evil Corp, an infamous Russian hacking organization.

Following the group’s distribution of another malicious software, the US Treasury Department sanctioned Evil Corp in 2019. The sanction prevented American victims from making a ransomware payment to Evil Corp. Unfortunately, the CNA representative said that “Phoenix” “isn’t on any prohibited party list and is not a sanctioned entity.”

About Evil Corp

Evil Corp is an international cybercrime group that uses malware to steal money from the victims’ bank accounts. Over the last decade, the hacking organization has stolen millions of dollars worldwide. As a result, many believe Evil Corp to be the largest, most threatening, and harmful hacking group to ever exist.

The criminal organization has been named after a fictional multinational corporation from the hacker-themed television show Mr. Robot. The group is thought to be located near Moscow, Russia.

The attackers use a wide array of malware to compromise users’ devices. Its newest strain of malicious software is called “Dridex,” and it uses a combination of techniques to automate the stealing of users’ mobile banking credentials.

Dridex is spread via massive phishing email campaigns that send out millions of messages a day. If the target clicks on the link contained in the email, Dridex is installed on the device. From there, it generates fake bank login pages in the web browser used by the victim.

Cyber threats can seem overwhelming in number and gravity, but Attack Simulator’s got your back. Don’t let your business fall into the hands of cybercriminals, and provide your employees with the necessary knowledge to spot and deflect a phishing attack. Choose our Security Awareness training program today for a safe cyber-tomorrow.


Sources:

Business Insider www.businessinsider.com/cna-financial-hackers-40-million-ransom-cyberattack

Bloomberg https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack

by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.