CNA Financial, one of the largest insurance companies in the US, reportedly paid hackers $40 million after a
attack blocked access to the company’s network and stole its data, according to a report from Bloomberg’s Kartikay Mehrotra and William Turton.
CNA first announced the hack in late March, stating that it had seen a “sophisticated cybersecurity attack” on March 21 that had “impacted certain CNA systems.” To address the incident, the company called in outside experts and law enforcement, both of which launched an investigation into the attack.
But behind closed doors, about a week following the ransomware attack, CNA began negotiating with the hackers, Bloomberg reported.
The hackers initially demanded $60 million in ransom. But following negotiations, CNA paid them $40 million in late March, which could be one of the largest ransomware hacker payments yet.
Bloomberg’s report on CNA Financial’s ransom payment comes just weeks after Colonial Pipeline — the US’ biggest refined products pipeline — paid hackers $4.4 million following its own cyberattack, which had caused gas shortages across the East Coast.
Colonial Pipeline’s payout may be notably lower than CNA Financial’s, but the cost of ransomware attacks have been increasing. In 2020, the average ransomware payment increased 171% from $115,123 in 2019 to $312,493 in 2020, according to a report from cybersecurity firm Palo Alto Networks. And earlier this year, both Quanta, an Apple supplier, and Acer were targeted by ransomware group REvil, which demanded $50 million from both companies.
However, the FBI advises against paying a ransom, and says doing so could instead encourage more hacks.
A CNA spokesperson told Insider that the company isn’t commenting on the ransom, but that it had “followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”
The spokesperson also noted that a group called “Phoenix” was behind the attack. The ransomware used on CNA is known as Phoenix Locker, a spin-off of another
“Hades” created by Russian hacking organization Evil Corp, Bloomberg reported.
The US Treasury Department last sanctioned Evil Corp in 2019 following the group’s distribution of another malware. This sanction barred Americans from paying an Evil Corp ransom. However, the CNA spokesperson noted that Phoenix “isn’t on any prohibited party list and is not a sanctioned entity.”