Tuesday, November 26, 2024
HomeRansomwareU.S Insurance Gaint CNA Financial Paid Hackers $40 Million in Ransom to...

U.S Insurance Gaint CNA Financial Paid Hackers $40 Million in Ransom to Recover Files

Published on

The insurance company, CNA Financial Corp., has been recently cyberattacked using a new variant of the “Phoenix CryptoLocker” Ransomware. 

According to the reports, on March 21, 2021, the threat actors stationed a ransomware program on the IT network of CNA, and encrypted 15,000 devices.

However, to restore and regain all the controls of the hijacked systems and internal networks of the company, CNA Financial paid a massive amount of ransom to the hackers.

- Advertisement - SIEM as a Service

CNA Paid $40 Million in Ransom

CNA Financial Corp. is one of the largest insurance companies in the US, and to regain all the control of its internal IT network and infected systems they paid a hefty amount of $40 million at the end of March to the hackers.

As this ransom was demanded by the hackers who have used the Phoenix CryptoLocker ransomware to encrypt all the data on infected computers and the internal network of the company during the attack.

The ransom paid by CNA Financial to the hackers after two weeks of the attack, as a result of which the threat actors contrived to deaden the company’s internal network system. 

But, according to the internal sources of the company, CNA tried to recover the data on its own, but they agreed to negotiate with the attacker after a week of unsuccessful attempts. And that’s why they yearned to maintain confidentiality since they have no right to discuss this concern openly.

Apart from the internal network of CNA, the Phoenix CryptoLocker also encrypted the computers of remote employees who were connected to the corporate VPN during the attack. 

Throughout the encryption process, the ransomware added the “.phoenix” extension to all encrypted files and created a ransom note with the name, “PHOENIX-HELP.txt.”

Moreover, the security experts have hinted that the popular cybercriminal group, “Evil Corp” is behind this Phoenix CryptoLocker ransomware. And this ransomware is the upgraded version of the WastedLocker ransomware.

The US government imposed sanctions on Evil Corp in 2019 and to avoid fines & lawsuits, most of the ransomware stopped facilitating the ransom payments to WastedLocker operators from the victims.

However, the company claimed that they have followed the law, consulted, and relinquished all the necessary data to the FBI and the Office of Foreign Assets Control of the US Treasury Department. 

In short, CNA Financial has followed all the current guidelines to desist from violating any sanctions while paying the ransom amount to the threat actors.

But, according to an internal investigation, the hackers who have carried out this campaign were not subject to sanctions, so CNA decided to pay the ransom. 

Restoration update

In an official web press, CNA has confirmed that they have now fully restored all their internal networks and operating usually. But, for further security measures they have claimed that they are implementing all the following points:-

  • On the newly restored systems, they are deploying advanced endpoint detection and monitoring tools.
  • To keep their network fully secured they are thoroughly scanning their systems.
  • On detection of any indicators of compromise, deploying instant remedies.
  • Before bringing back the systems online and making sure they are clean, the company also performing double checks.

These types of events are clearly showing that how hackers are using these types of ransomware operations as an easy and common tactic to steal unencrypted data. But, everyone should note down that always paying hackers doesn’t guarantee full recovery.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to...

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Helldown Ransomware Attacking VMware ESXi And Linux Servers

Helldown, a new ransomware group, actively exploits vulnerabilities to breach networks, as since August...

Phobos Ransomware Admin as Part of International Hacking Operation

The U.S. Department of Justice unsealed criminal charges today against Evgenii Ptitsyn, a 42-year-old Russian...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...