CNA paid hackers $40 million following March cyberattack

Disclosure of the payment will likely ire U.S. leaders who are unhappy that companies are making large payouts to criminals.

(Bloomberg) — CNA Financial Corp., among the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack, according to people with knowledge of the attack.

The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network, according to two people familiar with the attack who asked not to be named because they weren’t authorized to discuss the matter publicly.

In a statement, a CNA spokesperson said the company followed the law. She said the company consulted and shared intelligence about the attack and the hacker’s identity with the FBI and the Treasury Department’s Office of Foreign Assets Control, which said last year that facilitating ransom payments to hackers could pose sanctions risks.

“CNA is not commenting on the ransom,” spokeswoman Cara McCall said. “CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”

In a security incident update published on May 12, CNA said it did “not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits — is stored, were impacted.”

Ransomeware attacks increase exponentially

Ransomware attacks — and particularly payments — are rarely disclosed, so it’s difficult to know what the biggest ransoms have been. According to Palo Alto Networks, the average payment in 2020 was $312,493, a 171% increase over the previous year. The $40 million payment is bigger than any previously disclosed payments to hackers, according to three people familiar with ransomware negotiations.

The CNA hackers used malware called Phoenix Locker, a variant of ransomware dubbed ‘Hades.’ Hades was created by a Russian cybercrime syndicate known as Evil Corp., according to cybersecurity experts. Evil Corp. was sanctioned by the U.S. in 2019. However, attributing attacks can be difficult because hacking groups can share code or sell malware to one another.

CNA, which offers cyber insurance, said its investigation concluded that the hackers were a group called Phoenix that isn’t subject to U.S. sanctions.

Disclosure of the payment is likely to draw the ire of lawmakers and regulators already unhappy that U.S. companies are making large payouts to criminal hackers who have targeted hospitals, drugmakers, police forces, and other entities critical to public safety over the last year. The FBI discourages organizations from paying ransom because it encourages additional attacks and doesn’t guarantee data will be returned.

Ransomware is a type of malware that encrypts a victim’s data. Cybercriminals using ransomware often steal the data too. The hackers then ask for a payment to unlock the files and promise not to leak stolen data. In recent years, hackers have been targeting victims with cyber insurance policies and huge volumes of sensitive consumer data that make them more likely to pay a ransom, according to cybersecurity experts.

Last year was a banner year for ransomware groups, according to a task force of security experts and law enforcement agencies, which estimated that victims paid about $350 million in ransom last year, a 311% increase over 2019. The task force recommended 48 actions that the Biden administration and private sector could take to mitigate such attacks, including better regulation of the digital currency market used to make ransom payments.

The report, prepared by the Institute for Security and Technology, was delivered to the White House days before Colonial Pipeline Co. was compromised in a ransomware attack that led to fuel shortages and long lines at gas stations along the East Coast of the U.S. Bloomberg reported that Colonial paid the hackers nearly $5 million shortly after the attack; Colonial Chief Executive Officer Joseph Blount, in an interview with the Wall Street Journal published on Wednesday, confirmed that the company paid the hackers — $4.4 million in ransom.

According to the two people familiar with the CNA attack, the company initially ignored the hackers’ demands while pursuing options to recover their files without engaging with the criminals. But within a week, the company decided to start negotiations with the hackers, who were demanding $60 million. The payment was made a week later, according to the people.

Phoenix Locker appears to be a variant of Hades based on the overlap of the code used in each, according to Barry Hensley, chief threat intelligence officer of cybersecurity firm Secureworks Corp. “We have a high degree of confidence this is a Hades variant,” Hensley said. He said they hadn’t made a determination which hackers used the Hades variant to attack CNA.

Hades was created by Evil Corp. in order to bypass U.S. sanctions placed on the hacking group, according to research published in March by the cybersecurity firm CrowdStrike Holdings Inc.

In December 2019, the Treasury Department announced sanctions on 17 individuals and six entities linked to Evil Corp. At the time, the Treasury Department said Evil Corp used malware “to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft.” The designation by the Treasury Department made it illegal for a U.S. company to knowingly pay a ransom to Evil Corp.

Ransomware demands have increased exponentially in the last six months, according to Melissa Hathaway, president of Hathaway Global Strategies and a former cybersecurity advisor to Presidents George W. Bush and Barack Obama.

The average ransom demand is now between $50 million and $70 million, Hathaway said. While those demands are often negotiated down, she said companies are frequently paying ransoms in the tens of millions of dollars, in part because cyber insurance policies cover some or all of the cost. She estimated that the average payment is between $10 million and $15 million.