Search
Close this search box.
Request a quote

CNA paid hackers $40 million following March cyberattack

ZjgyMTUzZWQ1MjA4ZWFkZjM0ZTNhY2RkYWJhYWM2YmM4Y2Y2OWJmMTI2NTU3MzJkZDYyZjFlMWRlODNkZTE3ZA==

CNA paid hackers $40 million following March cyberattack

Disclosure of the payment will likely ire U.S. leaders who are unhappy that companies are making large payouts to criminals.

(Bloomberg) — CNA Financial Corp., among the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack, according to people with knowledge of the attack.

The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network, according to two people familiar with the attack who asked not to be named because they weren’t authorized to discuss the matter publicly.

In a statement, a CNA spokesperson said the company followed the law. She said the company consulted and shared intelligence about the attack and the hacker’s identity with the FBI and the Treasury Department’s Office of Foreign Assets Control, which said last year that facilitating ransom payments to hackers could pose sanctions risks.

“CNA is not commenting on the ransom,” spokeswoman Cara McCall said. “CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”

In a security incident update published on May 12, CNA said it did “not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits — is stored, were impacted.”

Ransomeware attacks increase exponentially

Ransomware attacks — and particularly payments — are rarely disclosed, so it’s difficult to know what the biggest ransoms have been. According to Palo Alto Networks, the average payment in 2020 was $312,493, a 171% increase over the previous year. The $40 million payment is bigger than any previously disclosed payments to hackers, according to three people familiar with ransomware negotiations.

The CNA hackers used malware called Phoenix Locker, a variant of ransomware dubbed ‘Hades.’ Hades was created by a Russian cybercrime syndicate known as Evil Corp., according to cybersecurity experts. Evil Corp. was sanctioned by the U.S. in 2019. However, attributing attacks can be difficult because hacking groups can share code or sell malware to one another.

CNA, which offers cyber insurance, said its investigation concluded that the hackers were a group called Phoenix that isn’t subject to U.S. sanctions.

Disclosure of the payment is likely to draw the ire of lawmakers and regulators already unhappy that U.S. companies are making large payouts to criminal hackers who have targeted hospitals, drugmakers, police forces, and other entities critical to public safety over the last year. The FBI discourages organizations from paying ransom because it encourages additional attacks and doesn’t guarantee data will be returned.

Ransomware is a type of malware that encrypts a victim’s data. Cybercriminals using ransomware often steal the data too. The hackers then ask for a payment to unlock the files and promise not to leak stolen data. In recent years, hackers have been targeting victims with cyber insurance policies and huge volumes of sensitive consumer data that make them more likely to pay a ransom, according to cybersecurity experts.

Last year was a banner year for ransomware groups, according to a task force of security experts and law enforcement agencies, which estimated that victims paid about $350 million in ransom last year, a 311% increase over 2019. The task force recommended 48 actions that the Biden administration and private sector could take to mitigate such attacks, including better regulation of the digital currency market used to make ransom payments.

The report, prepared by the Institute for Security and Technology, was delivered to the White House days before Colonial Pipeline Co. was compromised in a ransomware attack that led to fuel shortages and long lines at gas stations along the East Coast of the U.S. Bloomberg reported that Colonial paid the hackers nearly $5 million shortly after the attack; Colonial Chief Executive Officer Joseph Blount, in an interview with the Wall Street Journal published on Wednesday, confirmed that the company paid the hackers — $4.4 million in ransom.

According to the two people familiar with the CNA attack, the company initially ignored the hackers’ demands while pursuing options to recover their files without engaging with the criminals. But within a week, the company decided to start negotiations with the hackers, who were demanding $60 million. The payment was made a week later, according to the people.

Phoenix Locker appears to be a variant of Hades based on the overlap of the code used in each, according to Barry Hensley, chief threat intelligence officer of cybersecurity firm Secureworks Corp. “We have a high degree of confidence this is a Hades variant,” Hensley said. He said they hadn’t made a determination which hackers used the Hades variant to attack CNA.

Hades was created by Evil Corp. in order to bypass U.S. sanctions placed on the hacking group, according to research published in March by the cybersecurity firm CrowdStrike Holdings Inc.

In December 2019, the Treasury Department announced sanctions on 17 individuals and six entities linked to Evil Corp. At the time, the Treasury Department said Evil Corp used malware “to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft.” The designation by the Treasury Department made it illegal for a U.S. company to knowingly pay a ransom to Evil Corp.

Ransomware demands have increased exponentially in the last six months, according to Melissa Hathaway, president of Hathaway Global Strategies and a former cybersecurity advisor to Presidents George W. Bush and Barack Obama.

The average ransom demand is now between $50 million and $70 million, Hathaway said. While those demands are often negotiated down, she said companies are frequently paying ransoms in the tens of millions of dollars, in part because cyber insurance policies cover some or all of the cost. She estimated that the average payment is between $10 million and $15 million.

One Response

Leave a Reply

Your email address will not be published. Required fields are marked *

Related posts
Insurance-technology

Specific Technologies Driving Insurtech Investment in 2024

Understanding the Funding Decline The decrease in funding does not necessarily spell trouble for the insurance sector but instead highlights a strategic shift, the report suggests. “The insurance industry, like many sectors, is focusing on the most promising ventures with substantial insurance potential,” the report explains. “Insurers are directing their investments toward key areas and current trends such as embedded insurance, employee benefits, and cyber risk management. This strategic investment approach signals a forward-looking mindset within the industry.” Three Key Insurtech Trends for 2024 The report identifies three major trends shaping insurtech investments in 2024: Public Insurtech Companies: Financial and Growth Strategies The report also notes that public insurtech companies are prioritizing revenue growth as their main goal. These firms are restructuring their financial strategies to boost cash flow and capitalize on rising revenue streams. Their growth prospects are supported by expanding asset portfolios and strong market demand. “Public insurtech companies are focusing on revenue growth and optimizing their financial frameworks to increase cash flow,” the report states. “The growth potential for these companies is driven by increasing revenue opportunities, broadening asset bases, and a robust market for their services.” In summary, while global insurtech funding saw a decline in 2023, the industry’s focus on GenAI, digital process management, and connected insurance technologies is setting the stage for a dynamic and forward-looking 2024.

Read More
Business

Insurer Secures Unanimous Supreme Court Victory in New York Choice of Law Dispute

In the world of sports, a clean sweep, a shutout, or a perfect game is the ultimate achievement. In the legal arena, a unanimous decision from the U.S. Supreme Court is equally rare and significant. In a notable legal triumph, Great Lakes Insurance SE achieved a unanimous 9-0 victory in the Supreme Court on February 21, 2024. This victory follows a protracted legal battle that began in the District Court of Pennsylvania, advanced to the U.S. Court of Appeals for the Third Circuit, and culminated in the Supreme Court’s decisive ruling. Background of the Case: Great Lakes Insurance SE v. Raiders Retreat Realty Company The heart of the dispute was the insurance contract’s clause selecting New York law to govern any future legal conflicts. Although the financial implications of this case were relatively minor compared to the broader marine insurance industry, the insurer’s determination to uphold a crucial maritime legal principle has significant long-term implications for marine insurance. Faced with the insured’s counterclaims—including allegations of breach of fiduciary duty, insurance bad faith, and violations of Pennsylvania’s Unfair Trade Practices Law—the insurer was confronted with serious risks. Such claims could lead to the shifting of attorney’s fees, treble damages, and more, which might normally encourage insurers to settle rather than risk pursuing justice. However, Great Lakes Insurance, supported by The Goldman Maritime Law Group, opted to challenge the Third Circuit’s decision and seek clarity from the Supreme Court. Supreme Court Ruling: A Landmark Decision In a landmark ruling, Justice Brett Kavanaugh affirmed that choice of law provisions in maritime contracts should be upheld by default. This ruling is a major victory for establishing a consistent federal standard in maritime law and avoiding a patchwork of state laws that could complicate marine insurance disputes. The Supreme Court’s decision overturned the Third Circuit’s earlier judgment, which had questioned whether Pennsylvania’s public policy concerns might override the insurance contract’s choice of New York law. By upholding the New York choice of law clause, the Supreme Court eliminated the extra-contractual bad faith claims under Pennsylvania law, thereby ensuring that the dispute could be resolved based on the merits of the insurance claim itself. Significance of the Supreme Court’s Decision This ruling represents a significant advancement in maritime law, affirming that choice of law clauses in maritime contracts are generally enforceable. The decision establishes a clear, uniform legal framework for resolving maritime contract disputes, which will streamline the process and ensure fair adjudication of future insurance claims. Justice Clarence Thomas’s concurring opinion was particularly notable for its criticism of the 1955 Wilburn Boat v. Fireman’s Fund Insurance decision, which had previously influenced maritime insurance law. Thomas argued that Wilburn Boat was incorrectly decided and stressed that a uniform and enforceable set of rules is essential for the development of maritime law. Impact on the Marine Insurance Industry The Supreme Court’s decision sets a “bright-line” rule affirming that choice of law clauses are valid unless there is a strong argument against the selected jurisdiction. By endorsing New York’s insurance laws as a reasonable choice, the ruling supports a more consistent and predictable legal environment for marine insurers. This decision represents a major step forward in maritime law, helping insurers better assess risks, determine premiums, and ensure fair and efficient resolution of maritime insurance disputes.

Read More
Categories
Try your instant quote
Click here to proceed