CNA Financial paid $40 million to hackers

Hackers used Phoenix Locker ransomware to encrypt CNA's systems

American cyber insurance firm CNA Financial paid hackers $40 million to decrypt its data and restore systems, following a ransomware attack in March, according to sources.

Citing people with knowledge of the matter, Bloomberg reports that CNA paid the cyber criminals about two weeks after it was hit with the Phoenix CryptoLocker ransomware.

CNA first disclosed the hack in late March, saying that it fell victim to a major cyber attack that affected 'certain CNA systems'.

The firm notified law enforcement agencies about the hack and said it was also in contact with outside experts to address the incident. However, CNA began negotiating with the hackers while the investigation was ongoing, according to Bloomberg's sources.

The ransomware operatives initially demanded the company pay $60 million, but following negotiations, both parties agreed to a $40 million payment.

The hackers used the Phoenix Locker ransomware to encrypt CNA's systems. Phoenix Locker is a derivative of Hades malware, which was allegedly created by Russian-speaking Evil Corp group.

CNA declined to comment on the ransom, but said that had 'followed all laws, regulations, and published guidance, including OFAC's (Office of Foreign Assets Control) 2020 ransomware guidance, in its handling of this matter.'

In an update published on its website on 12th May, the company said that it believed the cyber incident did not affect the 'systems of record, claims systems, or underwriting systems, where the majority of policyholder data - including policy terms and coverage limits - is stored.'

The news comes just weeks after major US fuel line operator Colonial Pipeline confirmed that it had paid the DarkSide ransoamware group $4.4 million following a ransomware attack on its systems, which caused fuel shortages across the East Coast.

Colonial Pipeline CEO Joseph Blount said that paying the hackers was the "right thing to do for the country."

The number and cost of ransomware attacks have surged quickly in recent years.

The average ransomware payment in 2020 increased 171 per cent to $312,493, from $115,123 in 2019, Palo Alto Networks said in its most recent report.

Last year, security firm CrowdStrike surveyed 2,200 senior IT leaders from 12 countries in August and September, of which 56 per cent said their firm had suffered at least one ransomware attack in the last 12 months.

The study also found that 39 per cent of UK organisations had fallen victim to a ransomware attack in the last 12 months. UK businesses paid approximately £940,000 ($1.2 million) ransom on average - higher than the global average of $1.1 million, according to the study.