Tuesday, June 18, 2024

U.S Insurance Gaint CNA Financial Paid Hackers $40 Million in Ransom to Recover Files

The insurance company, CNA Financial Corp., has been recently cyberattacked using a new variant of the “Phoenix CryptoLocker” Ransomware. 

According to the reports, on March 21, 2021, the threat actors stationed a ransomware program on the IT network of CNA, and encrypted 15,000 devices.

However, to restore and regain all the controls of the hijacked systems and internal networks of the company, CNA Financial paid a massive amount of ransom to the hackers.

CNA Paid $40 Million in Ransom

CNA Financial Corp. is one of the largest insurance companies in the US, and to regain all the control of its internal IT network and infected systems they paid a hefty amount of $40 million at the end of March to the hackers.

As this ransom was demanded by the hackers who have used the Phoenix CryptoLocker ransomware to encrypt all the data on infected computers and the internal network of the company during the attack.

The ransom paid by CNA Financial to the hackers after two weeks of the attack, as a result of which the threat actors contrived to deaden the company’s internal network system. 

But, according to the internal sources of the company, CNA tried to recover the data on its own, but they agreed to negotiate with the attacker after a week of unsuccessful attempts. And that’s why they yearned to maintain confidentiality since they have no right to discuss this concern openly.

Apart from the internal network of CNA, the Phoenix CryptoLocker also encrypted the computers of remote employees who were connected to the corporate VPN during the attack. 

Throughout the encryption process, the ransomware added the “.phoenix” extension to all encrypted files and created a ransom note with the name, “PHOENIX-HELP.txt.”

Moreover, the security experts have hinted that the popular cybercriminal group, “Evil Corp” is behind this Phoenix CryptoLocker ransomware. And this ransomware is the upgraded version of the WastedLocker ransomware.

The US government imposed sanctions on Evil Corp in 2019 and to avoid fines & lawsuits, most of the ransomware stopped facilitating the ransom payments to WastedLocker operators from the victims.

However, the company claimed that they have followed the law, consulted, and relinquished all the necessary data to the FBI and the Office of Foreign Assets Control of the US Treasury Department. 

In short, CNA Financial has followed all the current guidelines to desist from violating any sanctions while paying the ransom amount to the threat actors.

But, according to an internal investigation, the hackers who have carried out this campaign were not subject to sanctions, so CNA decided to pay the ransom. 

Restoration update

In an official web press, CNA has confirmed that they have now fully restored all their internal networks and operating usually. But, for further security measures they have claimed that they are implementing all the following points:-

  • On the newly restored systems, they are deploying advanced endpoint detection and monitoring tools.
  • To keep their network fully secured they are thoroughly scanning their systems.
  • On detection of any indicators of compromise, deploying instant remedies.
  • Before bringing back the systems online and making sure they are clean, the company also performing double checks.

These types of events are clearly showing that how hackers are using these types of ransomware operations as an easy and common tactic to steal unencrypted data. But, everyone should note down that always paying hackers doesn’t guarantee full recovery.


Latest articles

Singapore Police Arrested Two Individuals Involved in Hacking Android Devices

The Singapore Police Force (SPF) has arrested two men, aged 26 and 47, for...

CISA Conducts First-Ever Tabletop Exercise Focused on AI Cyber Incident Response

On June 13, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) made history by...

Europol Taken Down 13 Websites Linked to Terrorist Operations

Europol and law enforcement agencies from ten countries have taken down 13 websites linked...

New ARM ‘TIKTAG’ Attack Impacts Google Chrome, Linux Systems

Memory corruption lets attackers hijack control flow, execute code, elevate privileges, and leak data.ARM's...

Operation Celestial Force Employing Android And Windows Malware To Attack Indian Users

A Pakistani threat actor group, Cosmic Leopard, has been conducting a multi-year cyber espionage...

Hunt3r Kill3rs Group claims they Infiltrated Schneider Electric Systems in Germany

The notorious cybercriminal group Hunt3r Kill3rs has claimed responsibility for infiltrating Schneider Electric's systems...

Hackers Employing New Techniques To Attack Docker API

Attackers behind Spinning YARN launched a new cryptojacking campaign targeting publicly exposed Docker Engine...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles