Insurance Firm CNA Financial Reportedly Paid Hackers $40 Million in Ransom

Cyber Security

U.S. insurance giant CNA Financial reportedly paid $40 million to a ransomware gang to recover access to its systems following an attack in March, making it one the most expensive ransoms paid to date.

The development was first reported by Bloomberg, citing “people with knowledge of the attack.” The adversary that staged the intrusion is said to have allegedly demanded $60 million a week after the Chicago-based company began negotiations with the hackers, culminating in the payment two weeks following the theft of company data.

In a statement shared on May 12, CNA Financial said it had “no evidence to indicate that external customers were potentially at risk of infection due to the incident.”

The attack has been attributed to new ransomware known as ‘Phoenix CryptoLocker,’ according to a March report from Bleeping Computer, with the strain believed to be an offshoot of WastedLocker and Hades, both of which have been utilized by Evil Corp, a Russian cybercrime network notorious for launching ransomware attacks against several U.S. entities, including Garmin, and deploying JabberZeus, Bugat and Dridex to siphon banking credentials.

In December 2019, U.S. authorities sanctioned the hacking group and filed charges against Evil Corp’s alleged leaders Maksim Yakubets and Igor Turashev for developing and distributing the Dridex banking Trojan to plunder more than $100 million over a period of 10 years. Law enforcement agencies also announced a reward of up to $5 million for providing information that could lead to their arrest. Both the individuals remain at large.

The development comes amid a sharp uptick in ransomware incidents, in part fueled by the pandemic, with the average ransom payment witnessing a massive 171% increase year-over-year from $115,123 in 2019 to $312,493 in 2020. Last year also saw the highest ransomware demand growing to $30 million, not to mention the total amount paid by victims skyrocketing to $406 million, based on conservative estimates.

CNA Financial’s $40 million ransom only shows that 2021 continues to be a great year for ransomware, potentially emboldening cybercriminal gangs to seek bigger payouts and advance their illicit aims.

According to an analysis by ransomware recovery firm Coveware, the average demand for a digital extortion payment shot up in the first quarter of 2021 to $220,298, up 43% from Q4 2020, out of which 77% of the attacks involved the threat to leak exfiltrated data, an increasingly prevalent tactic known as double extortion.

While the U.S. government has routinely advised against paying ransoms, the high stakes associated with data exposure have left victims with little choice but to settle with their attackers. In October 2020, the Treasury Department issued a guidance warning of penalties against companies making ransom payments to a sanctioned person or group, prompting ransomware negotiation firms to avoid cutting a deal with blocked groups such as Evil Corp to evade legal action.

“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating [Office of Foreign Assets Control] regulations,” the department said.

The surge in ransomware attacks has also had an impact on the cyber insurance industry, what with AXA announcing earlier this month that it will stop reimbursing clients in France should they opt to make any extortion payments to ransomware cartels, underscoring the dilemma that “insurance firms grapple with successfully underwriting ransomware policies while confronted with rising payout costs that threaten profitability.”

To defend against ransomware attacks, it’s recommended to secure all modes of initial access exploited by threat actors to infiltrate networks, maintain periodic data backups, and keep an appropriate recovery process in place.

“Organizations should maintain user awareness and training for email security as well as consider ways to identify and remediate malicious email as soon as it enters an employee’s mailbox,” Palo Alto Networks’ Unit 42 researchers said.

“Organizations should also ensure they conduct proper patch management and review which services may be exposed to the internet. Remote desktop services should be correctly configured and secured, using the principle of least privilege wherever possible, with a policy in place to detect patterns associated with brute-force attacks.”