CNA Financial, one of the largest US insurance companies, paid $40 million to resolve a ransomware attack that took place in late March, Bloomberg reported citing people familiar with the matter.
The $40 million ransom was paid following a two-week lockout and the theft of data belonging to the company.
“CNA is not commenting on the ransom,” CAN’s spokeswoman Cara McCall told Bloomberg. “CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”
“Our investigation identified the scope of impacted data in the incident, as well as the servers on which the data resided. We are reviewing the impacted data to determine the contents using both technology and a manual review,” CNA said in its May 12 security update. The company added that it did “not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits – is stored, were impacted.”
According to Bloomberg, the ransomware that targeted CNA’s systems was Phoenix Locker, a variant of malware called Hades, allegedly developed by a Russian-speaking group known as Evil Corp. According to the sources, CNA initially ignored the ransomware group’s demands attempting to recover its files without engaging with the hackers, however, within a week, the company decided to start negotiations with the gang that was demanding $60 million. Payment was made a week later, the sources said.