Businesses have been harrowed with the ever-rising question, “To pay or not to pay ransom?” The FBI had urged companies to avoid ransom payments because it only worsens the situation encourages others. The ransom does not fix the vulnerability, and though companies recover their data, cybercriminals make a pocketful out of it. Recently, CNA Financial Corp., one of the largest insurers in the U.S., allegedly paid $40 million to cybercriminals, to recover control of its network systems after being hit by a ransomware attack. While the company did not comment on the ransom, it did state that it reported the security incident to the FBI and the Treasury Department’s Office of Foreign Assets Control.
On March 21, 2021, CNA disclosed that it sustained a sophisticated cyberattack that disrupted some of its systems’ operations.
“We continue to progress our investigation into this incident, in partnership with the third-party forensic experts working to assist CNA. We are pleased that in a short time since the ransomware event, we are now operating in a fully restored state,” CNA said.
Threat Summary
- On March 21, 2021, CNA detected the ransomware and took immediate action by proactively disconnecting its systems from its network to contain the threat and prevent additional systems from being affected.
- CNA’s forensic investigation and root cause determination have revealed no indication that this was a targeted attack or that CNA or policyholder data was specifically targeted by the threat actor.
- Additionally, all attacker activity happened in, or before March 2021.
- The company is confident that the threat actor has not accessed the CNA environment since the ransomware event.
- It has no evidence to indicate that external customers were potentially at risk of infection due to the incident.
Is Phoenix Ransomware Group Involved?
While CNA did not reveal the name of the cybercriminal group it paid ransom to, several industry experts stated that threat actor group Phoenix is likely behind the attack. Phoenix ransomware is believed to be linked to the Evil Corp threat group because its code resembles the one used by the Evil Corp threat group. Phoenix ransomware comes as a legit signed software tricking the victim to execute it and it then encrypts the victim’s data.
Mixed Opinions
CNA clarified that all of its affected systems have now been restored. It added, “CNA is fully restored, and we are operating business as usual. Our IT teams and third-party partners have worked hard to restore business operability.”
However, several industry experts raised concerns over CNA’s failure in detecting the ransomware attack, which led the company to pay a huge ransom to recover its systems.
“Of course, it’s very easy to have a good laugh about a cyber insurance company getting caught with its pants down, hit by ransomware, and paying an EYEWATERING $40 MILLION RANSOM (sorry, but I do think the figure deserves emphasizing), but it could have happened to just about anyone well, maybe not the paying $40 million bit,” said cybersecurity researcher Graham Cluley.
Leading cyber security insurance provider CNA restored their systems in May, per their website. Bloomberg report they paid their attackers $40m.
A stunning failure in management and a benchmark for how low the cybersecurity industry is. https://t.co/brXhPxxzkK
— Kevin Beaumont (@GossiTheDog) May 20, 2021
“A stunning failure in management and a benchmark for how low the cybersecurity industry is,” said security researcher Kevin Beaumont.