One of America’s largest insurers agreed to pay a $40 million ransom after its IT systems were locked down and data stolen by threat actors, according to a report.
CNA Financial paid its attackers in late March, about a fortnight after the incident, two people familiar with the attack told Bloomberg.
A statement shared with the news site refused to comment on the ransom but claimed that the firm had followed all “laws, regulations and published guidance” when handling the matter. This includes the 2020 guidance published by the US Treasury’s Office of Foreign Assets Control (OFAC), it said.
CNA Financial also noted in a security update that it did “not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data — including policy terms and coverage limits — is stored, were impacted.”
The firm was apparently hit by a variant of the Evil Corp-authored Hades ransomware called Phoenix Locker.
The payment could be the largest ever made to a ransomware group — although not all incidents and payment amounts are disclosed given the commercial sensitivities involved.
Attackers tried to extort $50 million from Acer back in March, although it’s unclear whether they were successful or not.
The FBI urges victims not to do so as it encourages more copycat attacks and does not guarantee that the organization’s stolen files will not be monetized in the future, or that it will even receive a working decryption key.
Insurance companies like CNA Financial have been at the center of fierce debate recently over whether the industry should be assisting customers financially who have been struck by ransomware.
Axa has decided to stop reimbursing new policyholders in France for payments to such threat groups, for example.
Insurers may also be a lucrative target if their attackers manage to find client lists, which would provide them with a handy line-up of companies covered by insurance.
The average payment to ransomware groups increased by 43% from Q4 2020 to the first three months of 2021, according to Coveware.