Thursday, March 28, 2024

U.S Insurance Gaint CNA Financial Paid Hackers $40 Million in Ransom to Recover Files

The insurance company, CNA Financial Corp., has been recently cyberattacked using a new variant of the “Phoenix CryptoLocker” Ransomware. 

According to the reports, on March 21, 2021, the threat actors stationed a ransomware program on the IT network of CNA, and encrypted 15,000 devices.

However, to restore and regain all the controls of the hijacked systems and internal networks of the company, CNA Financial paid a massive amount of ransom to the hackers.

CNA Paid $40 Million in Ransom

CNA Financial Corp. is one of the largest insurance companies in the US, and to regain all the control of its internal IT network and infected systems they paid a hefty amount of $40 million at the end of March to the hackers.

As this ransom was demanded by the hackers who have used the Phoenix CryptoLocker ransomware to encrypt all the data on infected computers and the internal network of the company during the attack.

The ransom paid by CNA Financial to the hackers after two weeks of the attack, as a result of which the threat actors contrived to deaden the company’s internal network system. 

But, according to the internal sources of the company, CNA tried to recover the data on its own, but they agreed to negotiate with the attacker after a week of unsuccessful attempts. And that’s why they yearned to maintain confidentiality since they have no right to discuss this concern openly.

Apart from the internal network of CNA, the Phoenix CryptoLocker also encrypted the computers of remote employees who were connected to the corporate VPN during the attack. 

Throughout the encryption process, the ransomware added the “.phoenix” extension to all encrypted files and created a ransom note with the name, “PHOENIX-HELP.txt.”

Moreover, the security experts have hinted that the popular cybercriminal group, “Evil Corp” is behind this Phoenix CryptoLocker ransomware. And this ransomware is the upgraded version of the WastedLocker ransomware.

The US government imposed sanctions on Evil Corp in 2019 and to avoid fines & lawsuits, most of the ransomware stopped facilitating the ransom payments to WastedLocker operators from the victims.

However, the company claimed that they have followed the law, consulted, and relinquished all the necessary data to the FBI and the Office of Foreign Assets Control of the US Treasury Department. 

In short, CNA Financial has followed all the current guidelines to desist from violating any sanctions while paying the ransom amount to the threat actors.

But, according to an internal investigation, the hackers who have carried out this campaign were not subject to sanctions, so CNA decided to pay the ransom. 

Restoration update

In an official web press, CNA has confirmed that they have now fully restored all their internal networks and operating usually. But, for further security measures they have claimed that they are implementing all the following points:-

  • On the newly restored systems, they are deploying advanced endpoint detection and monitoring tools.
  • To keep their network fully secured they are thoroughly scanning their systems.
  • On detection of any indicators of compromise, deploying instant remedies.
  • Before bringing back the systems online and making sure they are clean, the company also performing double checks.

These types of events are clearly showing that how hackers are using these types of ransomware operations as an easy and common tactic to steal unencrypted data. But, everyone should note down that always paying hackers doesn’t guarantee full recovery.

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles