CNA Financial reportedly paid hackers $40 million in March in order to regain control of its systems after it succumbed to a ransomware scheme.
The hackers who carried out the attack on the Chicago-based cyber insurance company initially demanded $60 million. After about a week of negotiations, the firm ultimately paid the hackers $40 million.
Although law enforcement agencies don’t recommend paying ransoms because it could encourage hackers to ask for increasingly larger sums, a CNA spokesperson said the company followed the law during the process.
“CNA is not commenting on the ransom,” spokeswoman Cara McCall said. “CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”
Policyholder data not affected
In a security update published on May 12, CNA said it had no reason to believe its policyholders’ data was affected by the attacker activity. Immediately after detecting the ransomware, the company said it disconnected its systems from its network to contain the threat and prevent additional systems from being affected.
“As a result of our efforts, we are confident that the Threat Actor has not accessed the CNA environment since the ransomware event,” the company said. “We have no evidence to indicate that external customers were potentially at risk of infection due to the incident.”
Citing three people familiar with CNA’s negotiations, Bloomberg reported that the ransomware used against CNA was a derivative of another piece of malware called Hades.
“Hades was created by a Russian cybercrime syndicate known as Evil Corp., according to cybersecurity experts,” Bloomberg said. “Evil Corp. was sanctioned by the U.S. in 2019. However, attributing attacks can be difficult because hacking groups can share code or sell malware to one another.”
The sum paid to the hackers reportedly ranks as one of the highest ransom payments to date.