One of the largest insurance companies in the United States, CNA Financial, reportedly agreed to a $40 million payment to restore access to its systems following a ransomware attack.
According to Bloomberg, the $40 million payment — which is $10 million more than the highest attempted demand of $30 million in 2020, already double the highest attempted extortion figure of 2019 at $15 million — was paid out two weeks after ransomware crippled CNA Financial’s networks.
People close to the matter said during the cyberattack, employees were locked out of the company’s systems and confidential data was stolen.
CNA said that a “sophisticated cybersecurity attack” was detected on March 21 that caused “network disruption and impacted certain CNA systems.”
In an update on May 12, the insurance giant said that third party cyberforensics experts were investigating the incident, in which the ransomware group appears to have conducted all of its activities prior to March 21 and have not accessed the CNA environment since.
Ransomware groups may perform reconnaissance and lurk in a network to quietly exfiltrate information before encryption begins in order to perform a double-extortion attack, in which companies that refuse to pay in order to decrypt their systems are then faced with the prospect of sensitive data being published online.
The company has remained tight-lipped concerning what information was stolen, but did say that “we do not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data — including policy terms and coverage limits — is stored, were impacted.”
CNA has since restored its systems and is fully operational.
In a statement, a CNA spokesperson said that the insurance firm will not be commenting on the ransom, adding that CNA “followed all laws, regulations, and published guidance” while handling the cyberattack.
Furthermore, the company consulted with the FBI and Office of Foreign Assets Control (OFAC).
This may not be enough to placate US lawmakers or law enforcement as the practice of paying cyberattackers is not encouraged — and only serves to keep ransomware deployment a lucrative business.
Colonial Pipeline, a crucial provider of fuel to close to half of the East Coast, has confirmed a $4.4 million payout to the DarkSide ransomware group following a debilitating attack that interrupted fuel supplies for close to a week across the United States. Colonial Pipeline CEO Joseph Blount said that paying up was the “right thing to do for the country.”
In related news this week, cyber insurance provider AXA also became the target of a ransomware group, known as Avaddon. Operations in Thailand, Malaysia, Hong Kong, and the Philippines were disrupted and the cybercriminals claim to have stolen 3TB in data including customer medical reports, claim records, bank account document scans, ID cards, and other datasets. The information has not been published at the time of writing.
The ransomware attack took place just days after AXA announced the discontinuation of support for ransomware extortion claims in France.