CNA Financial, one of the largest insurance companies in the US, reportedly paid a $40 ransom to restore access to its files following a ransomware attack that took place in March.
According to Bloomberg, CNA Financial opted to pay the ransom two weeks after the security breach because it was not able to restore its operations. Bloomberg was informed about the payment by two people familiar with the attack.
The systems at the company were infected with the Phoenix Locker, a variant of ransomware tracked as Hades that was part of the arsenal of the cybercrime group known as Evil Corp.
“According to the two people familiar with the CNA attack, the company initially ignored the hackers’ demands while pursuing options to recover their files without engaging with the criminals. But within a week, the company decided to start negotiations with the hackers, who were demanding $60 million. Payment was made a week later, according to the people.” reported Bloomberg.
CNA Financial immediately launched an investigation into the incident and reported it to the FBI and the Treasury Department’s Office of Foreign Assets Control.
On May 12, CNA announced that it did not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits – is stored, were impacted.
The insurance company will not comment on the ransom.
“CNA is not commenting on the ransom,” spokeswoman Cara McCall said. “CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”
Recently another insurance firm, AXA, was the victim of a ransomware attack. The Avaddon group announced to have hacked the Asian branch of Axa and stole three terabytes of data
It is curious that recently Axa announced that in France it will no longer reimburse ransomware payments for its customers. The decision is the result of the increased number of ransomware attacks and the large ransom demanded by cybercriminals.
Follow me on Twitter: @securityaffairs and Facebook
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, ransomware)