- Insurance company CNA Financial reportedly paid its attackers $40 million following a ransomware attack disclosed in March, Bloomberg reported Thursday.
- The company worked with federal law enforcement and followed guidance from the Department of Treasury's Office of Foreign Assets Control (OFAC), a CNA spokesperson told Cybersecurity Dive. "Due diligence efforts concluded that the threat actor responsible for the attack is a group called Phoenix," which is not on OFAC's list of prohibited entities.
- CNA said in March the company disconnected its systems from its networks to contain the threat. The company's security team deployed additional endpoint detection and monitoring tools. CNA confirmed the threat actor was no longer in the environment in April and "there is no evidence to indicate that external customers are potentially at risk of infection or cross-contamination."
Despite restoring operations, CNA was still engaged with third parties to investigate the attack earlier this month, according to its 10-K filing on May 7.
CNA said it believed the ransomware attack would not have material impact on its business,"however, no assurances can be given."
The insurance company offers cyber insurance tools for customers, with coverage including network failure, voluntary shutdown and e-theft. The company is among the top-10 cyber insurance providers, standing next to cyber-specific insurers. As of 2019, CNA accounted for 2.2% of the market share, among the top ten standalone cyber insurance market, reported Insurance Business Magazine.
The company has a cyber insurance policy to cover the cost of a cyberattack. But "it is possible losses may exceed the amount available under our coverage and our coverage policy may not cover all losses," the company said in its SEC filing.
The damage of this ransomware attack might hurt CNA's ability to secure future coverage, or at least risk a higher premium, the company said.
The $40 million ransom is likely the highest known paid ransom, experts said. "That number might have paled in comparison to the money they would have paid out to clients attacked by ransomware over the next couple of years," said Allan Liska, intelligence analyst at Recorded Future.
CNA's revenue for FY2020 reached nearly $11 billion, according to its annual report. It's among the insurance providers reacting to the higher demand for cyber insurance. The number of cyber insurance policies increased by about 60% between 2016 and 2019, according to research from S&P Market Intelligence and National Association of Insurance Commissioners (NAIC).
In that same time frame, direct written premium stand-alone cyber policies increased from about $811 million to more than $1.2 billion.
Because of the success of ransomware, ransomware operators are developing more variants and strains, according to the FBI. One group known for pivoting is Evil Corp., the gang behind Revil.
Revil's tactics align with why a threat group would target an insurance provider: Identify "worthwhile targets" and spearphish them, said Brett Callow, threat analyst at Emsisoft. "This is, in fact, exactly what Revil claims to do."
A representative for Revil claimed the group thought of organizations with cyber insurance as "one of the tastiest morsels — especially to hack the insurers first," reported The Record by Recorded Future in March.
Revil is one of the prohibited groups on the OFAC's Specially Designated Nationals and Blocked Persons List (SDN List). Under the International Emergency Economic Powers Act (IEEPA) "U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities" on the SDN List, according to the Treasury Department's October advisory.
Phoenix has ties to Hades ransomware, which are both run by Evil Corp., said Liska. Hades was developed by the ransomware gang to avoid the Treasury's sanctions.
The agency established sanctions for paying ransoms to specific threat groups identified by OFAC and designated sanctions against actors linked to Cryptolocker, SamSam, WannaCry (linked to the Lazarus Group) and Dridex (linked to Evil Corp.). The list is expandable as more threat actors create more damage, including newcomers such as Babuk or DarkSide.
The agency asked for financial institutions, among other companies, to have a risk-based compliance program "to mitigate exposure to sanctions-related violations." Companies susceptible to fines are the ones that aid in ransomware recovery or payment facilitation, including cyber insurers, digital forensics and incident response.
"There has been speculation about ransomware actors targeting cyber insurance companies for a couple of years now," said Liska. "Getting a list of clients from a cyber insurance company, especially one as large as CNA, would be invaluable to ransomware actors."