CNA Financial, one of the largest insurance companies in the U.S., reportedly paid more than $40 million in ransom to end an attack by hackers in March.
Hackers locked the Chicago-based company out of its network for about two weeks, Bloomberg News reported. That’s when the company paid them off, “according to two people familiar with the attack who asked not to be named because they weren’t authorized to discuss the matter publicly,” Bloomberg reported.
But a CNA spokesman would only confirm that the cyberattack occurred, refusing to say whether a ransom was paid.
“CNA is not commenting on the ransom,” spokeswoman Cara McCall said. “CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”
McCall said CNA passed along information about the attack and the hackers to the FBI and the Treasury Department’s Office of Foreign Assets Control. CNA also said it believed the hackers were a group called Phoenix, according to Bloomberg.
“The CNA hackers used malware called Phoenix Locker, a variant of ransomware dubbed ‘Hades.’ Hades was created by a Russian cybercrime syndicate known as Evil Corp., according to cybersecurity experts,” Bloomberg reported. “Evil Corp. was sanctioned by the U.S. in 2019. However, attributing attacks can be difficult because hacking groups can share code or sell malware to one another.”
Earlier this month, hackers caused a weeklong shutdown of a major U.S. gasoline pipeline. On May 7 the Colonial Pipeline was hit with a cyberattack that forced the closure of the 5,500-mile pipeline, which moves more than 100 million gallons of fuel from Texas to New Jersey every day — nearly 50% of the fuel consumed on the East Coast.
And hackers have reportedly hit nearly 50 other targets, pulling in more than $90 million in ransoms.
The “DarkSide hackers that closed the Colonial Pipeline have bagged more than $90 million in Bitcoin ransom payments from 47 victims and have infected at least 99 companies in the last year,” the Daily Mail reported. “Blockchain analytics firm Elliptic said DarkSide’s Bitcoin wallet received millions of dollars worth of ransom payments in the nine months between October last year and last week when the wallet shut down.”
The targets included fashion label Guess and car firm Toshiba, although it was not clear if they paid ransoms. About half of the targets paid ransoms, with the average payment being around $1.9 million, Elliptic said.
Dark web intelligence firm DarkTracer identified 99 organizations that were infected with Darkside ransomware.
Colonial reportedly paid nearly $5 million in ransom.
“Joseph Blount, CEO of Colonial Pipeline Co., told The Wall Street Journal that he authorized the ransom payment of $4.4 million because executives were unsure how badly the cyberattack had breached its systems or how long it would take to bring the pipeline back,” The Wall Street Journal reported on Wednesday.