The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network, according to two people familiar with the attack who asked not to be named because they weren’t authorized to discuss the matter publicly.
In a statement, a CNA spokesperson said the company followed the law. She said the company consulted and shared intelligence about the attack and the hacker’s identity with the FBI and the Treasury Department’s Office of Foreign Assets Control, which said last yearthat facilitating ransom payments to hackers could pose sanctions risks.
“CNA is not commenting on the ransom,” spokeswoman Cara McCall said. “CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”
In a security incident update published on May 12, CNA said it did “not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits – is stored, were impacted.”
Ransomware attacks -- and particularly payments -- are rarely disclosed so it’s difficult to know what the biggest ransoms have been. The average payment in 2020 was $312,493, according to
The CNA hackers used malware called Phoenix Locker, a variant of ransomware dubbed ‘Hades.’ Hades was created by a Russian cybercrime syndicate known as
CNA, which offers cyber insurance, said its investigation concluded that the hackers were a group called Phoenix that isn’t subject to U.S. sanctions.
Disclosure of the payment is likely to draw the ire of lawmakers and regulators already unhappy that U.S. companies are making large payouts to criminal hackers who over the last year have targeted hospitals, drug makers, police forces and other entities critical to public safety. The FBI discourages organizations from paying ransom because it encourages additional attacks and doesn’t guarantee data will be returned.
Ransomware is a type of malware that encrypts a victim’s data. Cybercriminals using ransomware often steal the data too. The hackers then ask for a payment to unlock the files and promise not to leak stolen data. In recent years, hackers have been targeting victims with cyber insurance policies and huge volumes of sensitive consumer data that make them more likely to pay a ransom, according to cybersecurity experts.
Last year was a banner year for ransomware groups, according to a task-force of security experts and law enforcement agencies which estimated that victims paid about $350 million in ransom last year, a 311% increase over 2019. The task force recommended 48 actions that the Biden administration and private sector could take to mitigate such attacks, including better regulation of the digital currency market used to make ransom payments.
The report, prepared by the Institute for Security and Technology, was delivered to the White House days before
According to the two people familiar with the CNA attack, the company initially ignored the hackers’ demands while pursuing options to recover their files without engaging with the criminals. But within a week, the company decided to start negotiations with the hackers, who were demanding $60 million. Payment was made a week later, according to the people.
Phoenix Locker appears to be a variant of Hades based on overlap of the code used in each, according to
Hades was created by Evil Corp. in order to bypass U.S. sanctions placed on the hacking group, according to research published in March by the cybersecurity firm
In December 2019, the Treasury department announced sanctions on 17 individuals and six entities linked to Evil Corp. At the time, the Treasury department said Evil Corp used malware “to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft.” The designation by the Treasury Department made it illegal for a U.S. company to knowingly pay a ransom to Evil Corp.
Ransomware demands have increased exponentially in the last six months, according to
The average ransom demand is now between $50 million and $70 million, Hathaway said. While those demands are often negotiated down, she said companies are frequently paying ransoms in the tens of millions of dollars, in part because cyber insurance policies cover some or all of the cost. She estimated that the average payment is between $10 million and $15 million.
To contact the editors responsible for this story:
© 2021 Bloomberg L.P. All rights reserved. Used with permission.