www.bloomberg.com
Open in
urlscan Pro
151.101.65.73
Public Scan
URL:
https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack
Submission: On May 14 via api from US — Scanned from DE
Submission: On May 14 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Skip to content
Skip to content
Bloomberg the Company & Its ProductsThe Company & its ProductsBloomberg Terminal
Demo RequestBloomberg Anywhere Remote LoginBloomberg Anywhere LoginBloomberg
Customer SupportCustomer Support
Bloomberg Webinars: Access a broad range of analysis, research, insight & ideas.
BLOOMBERG UK
Europe Edition
* UK
* Europe
* US
* Asia
* Middle East
* Africa
* 日本
Sign In Sign Out Subscribe
* Live Now
BLOOMBERG TV+
BLOOMBERG STUDIO 1.0:PAT GELSINGER, INTEL CEO
BLOOMBERG RADIO
BALANCE OF POWER
Bloomberg: Balance of Power focuses on the politics and policies being shaped
by the agenda of President Biden's administration.
Listen
--------------------------------------------------------------------------------
QUICKTAKE
TOWNSHIP YOGI
In South African townships oppressed because of unemployment, crime, drugs
and violence, and where many of the population are suffering from HIV and
Aids, this inspiring feature-length documentary follows the journey of six
people who transform themselves through yoga, and documents the impact that
yoga has on their families, and communities.
ALSO STREAMING ON YOUR TV:
* * Markets
Markets
* Economics
* Deals
* Odd Lots
* The FIX | Fixed Income
* ETFs
* FX
* Factor Investing
* Alternative Investing
* Economic Calendar
* Markets Magazine
SCREENTIME
Baseball’s Streaming Push Leaves Fans Scrambling to Find Games
BUSINESS
Cathie Wood Just Keeps Buying Coinbase and Getting More Inflows
MARKET DATA
* Stocks
* Commodities
* Rates & Bonds
* Currencies
* Futures
* Sectors
FOLLOW BLOOMBERG MARKETS
View More Markets
* Technology
Technology
* Work Shifting
* Code Wars
* Checkout
* Prognosis
TECHNOLOGY
Apple Bounce Can’t Shake Off Chilling Signal for Stock Market
TECHNOLOGY
Social Media Sites Face Worldwide Upheaval, Supreme Court Told
TECHNOLOGY
Amazon’s Bezos Spars With Biden on Twitter About Inflation
FOLLOW BLOOMBERG TECHNOLOGY
View More Technology
* Politics
Politics
* US
* UK
* Americas
* Europe
* Asia
* Middle East
POLITICS
Thomas Says Leak Eroded Supreme Court Trust, Damaged Institution
POLITICS
Ethiopian Region Claims 7,000 Civilians Killed by Tigray Forces
FEATURED
* Next China
FOLLOW BLOOMBERG POLITICS
View More Politics
* Wealth
Wealth
* Investing
* Living
* Opinion & Advice
* Savings & Retirement
* Taxes
* Reinvention
WEALTH
Biden, Harris Reveal Book Royalties, Other Income in Disclosures
INVESTING
World's Richest Family Bet on Munis, Japanese Stocks, Coinbase
FEATURED
* How to Invest
FOLLOW BLOOMBERG WEALTH
View More Wealth
* Pursuits
Pursuits
* Travel
* Autos
* Homes
* Living
* Culture
* Style
PURSUITS
Liverpool Beats Chelsea to Win FA Cup, Keep Quad Hopes Alive
PURSUITS
Back to Normal? Cannes Film Festival Prepares to Party
FEATURED
* Screentime
* New York Property Prices
* Where to Go in 2022
FOLLOW BLOOMBERG PURSUITS
View More Pursuits
* Opinion
Opinion
* Business
* Finance
* Economics
* Markets
* Politics & Policy
* Technology & Ideas
* Editorials
* Letters
FAYE FLAM
Behind the Amazing Photo of the Milky Way’s Very Own Black Hole
JONATHAN LEVIN
Housing Defies Fed’s Campaign to Control Inflation
ROBERT BURGESS
The Fed Sure Sounds as If It Expects a Recession
FOLLOW BLOOMBERG OPINION
View More Opinion
* Businessweek
Businessweek
* The Bloomberg 50
* Best B-Schools
* Small Business Survival Guide
* 50 Companies to Watch
* Good Business
* Subscribe to the Magazine
TECHNOLOGY
Venture Capitalists Are Aiming to Disrupt Fish Farming
BUSINESS
CEOs Feel the GOP Squeeze for Weighing In on Social Issues
FEATURE
How Gillette Embraced the Beard to Win Over Scruffy Millennials
FOLLOW BLOOMBERG BUSINESSWEEK
View More Businessweek
* Equality
Equality
* Corporate Leadership
* Capital
* Society
* Solutions
EQUALITY
Baby-Formula Shortage Spurs US to Prod Abbott Over Access
EQUALITY
Top Texas Court Allows Child-Abuse Probes for Parents of Trans Kids
EQUALITY
Fed Board Employs Just One Black Economist, Diversity Data Show
FOLLOW BLOOMBERG EQUALITY
View More Equality
* Green
Green
* Science & Energy
* Climate Adaptation
* Finance
* Politics
* Culture & Design
GREEN
New Mexico Governor Seeks More US Aid for Wildfire Response
GREEN
Texas Faces Another Day of High Heat, Straining Power Grid
FEATURED
* Data Dash
* Hyperdrive
FOLLOW BLOOMBERG GREEN
View More Green
* CityLab
CityLab
* Design
* Culture
* Transportation
* Economy
* Environment
* Housing
* Justice
* Government
* Technology
ECONOMY
Here’s How US Cities Rank on Baby Formula Shortages
DESIGN
A Vision to Build a City of Refugees in Ukraine
CITYLAB
New York City Plans to Screen Every Student for Dyslexia for the First Time
FOLLOW BLOOMBERG CITYLAB
View More CityLab
* Crypto
Crypto
* Decentralized Finance
* NFTs
* Regulation
* Technology
CRYPTO
Crypto Prices Slip After Record Week For Bitcoin Volatility
CRYPTO
Nigeria Issues Crypto Asset Rules in Move Seen Boosting Trade
CRYPTO
Early Bitpanda Investor Defies Tech Jitters With New Seed Fund
FOLLOW BLOOMBERG CRYPTO
View More Crypto
* More
--------------------------------------------------------------------------------
Business
Cybersecurity
CNA FINANCIAL PAID $40 MILLION IN RANSOM AFTER MARCH CYBERATTACK
* Payment bigger than previously disclosed ransoms, experts say
* Malware tied to Russian cybergang sanctioned by U.S. in 2019
The CNA headquarters in Chicago.
Photographer: AYNSLEY FLOYD/Bloomberg
By
Kartikay Mehrotra and
William Turton
+Follow
May 20, 2021, 7:57 PM GMT
LISTEN TO THIS ARTICLE
5:48
SHARE THIS ARTICLE
Copied
Follow the authors
@KartikayM
+ Get alerts forKartikay Mehrotra
@WilliamTurton
+ Get alerts forWilliam Turton
CNA Financial Corp., among the largest insurance companies in the U.S., paid $40
million in late March to regain control of its network after a ransomware
attack, according to people with knowledge of the attack.
The Chicago-based company paid the hackers about two weeks after a trove of
company data was stolen, and CNA officials were locked out of their network,
according to two people familiar with the attack who asked not to be named
because they weren’t authorized to discuss the matter publicly.
In a statement, a CNA spokesperson said the company followed the law. She said
the company consulted and shared intelligence about the attack and the hacker’s
identity with the FBI and the Treasury Department’s Office of Foreign Assets
Control, which said last year that facilitating ransom payments to hackers could
pose sanctions risks.
“CNA is not commenting on the ransom,” spokeswoman Cara McCall said. “CNA
followed all laws, regulations, and published guidance, including OFAC’s 2020
ransomware guidance, in its handling of this matter.”
More Cyber Attacks Are Coming, Former U.S. Official Says
In a security incident update published on May 12, CNA said it did “not believe
that the systems of record, claims systems, or underwriting systems, where the
majority of policyholder data – including policy terms and coverage limits – is
stored, were impacted.”
Ransomware attacks -- and particularly payments -- are rarely disclosed so it’s
difficult to know what the biggest ransoms have been. The average payment in
2020 was $312,493, according to Palo Alto Networks, a 171% increase over the
previous year. The $40 million payment is bigger than any previously disclosed
payments to hackers, according to three people familiar with ransomware
negotiations.
The CNA hackers used malware called Phoenix Locker, a variant of ransomware
dubbed ‘Hades.’ Hades was created by a Russian cybercrime syndicate known as
Evil Corp., according to cybersecurity experts. Evil Corp. was sanctioned by the
U.S. in 2019. However, attributing attacks can be difficult because hacking
groups can share code or sell malware to one another.
CNA, which offers cyber insurance, said its investigation concluded that the
hackers were a group called Phoenix that isn’t subject to U.S. sanctions.
Disclosure of the payment is likely to draw the ire of lawmakers and regulators
already unhappy that U.S. companies are making large payouts to criminal hackers
who over the last year have targeted hospitals, drug makers, police forces and
other entities critical to public safety. The FBI discourages organizations from
paying ransom because it encourages additional attacks and doesn’t guarantee
data will be returned.
Ransomware is a type of malware that encrypts a victim’s data. Cybercriminals
using ransomware often steal the data too. The hackers then ask for a payment to
unlock the files and promise not to leak stolen data. In recent years, hackers
have been targeting victims with cyber insurance policies and huge volumes of
sensitive consumer data that make them more likely to pay a ransom, according to
cybersecurity experts.
Last year was a banner year for ransomware groups, according to a task-force of
security experts and law enforcement agencies which estimated that victims paid
about $350 million in ransom last year, a 311% increase over 2019. The task
force recommended 48 actions that the Biden administration and private sector
could take to mitigate such attacks, including better regulation of the digital
currency market used to make ransom payments.
The report, prepared by the Institute for Security and Technology, was delivered
to the White House days before Colonial Pipeline Co. was compromised in a
ransomware attack that led to fuel shortages and long lines at gas stations
along the East Coast of the U.S. Bloomberg reported that Colonial paid the
hackers nearly $5 million shortly after the attack; Colonial Chief Executive
Officer Joseph Blount, in an interview with the Wall Street Journal published on
Wednesday, confirmed that the company paid the hackers -- $4.4 million in
ransom.
Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom
According to the two people familiar with the CNA attack, the company initially
ignored the hackers’ demands while pursuing options to recover their files
without engaging with the criminals. But within a week, the company decided to
start negotiations with the hackers, who were demanding $60 million. Payment was
made a week later, according to the people.
Phoenix Locker appears to be a variant of Hades based on overlap of the code
used in each, according to Barry Hensley, chief threat intelligence officer of
cybersecurity firm Secureworks Corp. “We have a high degree of confidence this
is a Hades variant,” Hensley said. He said they haven’t made a determination
which hackers used the Hades variant to attack CNA.
Hades was created by Evil Corp. in order to bypass U.S. sanctions placed on the
hacking group, according to research published in March by the cybersecurity
firm CrowdStrike Holdings Inc.
In December 2019, the Treasury department announced sanctions on 17 individuals
and six entities linked to Evil Corp. At the time, the Treasury department said
Evil Corp used malware “to infect computers and harvest login credentials from
hundreds of banks and financial institutions in over 40 countries, causing more
than $100 million in theft.” The designation by the Treasury Department made it
illegal for a U.S. company to knowingly pay a ransom to Evil Corp.
Ransomware demands have increased exponentially in the last six months,
according to Melissa Hathaway, president of Hathaway Global Strategies and a
former cybersecurity adviser to Presidents George W. Bush and Barack Obama.
The average ransom demand is now between $50 million and $70 million, Hathaway
said. While those demands are often negotiated down, she said companies are
frequently paying ransoms in the tens of millions of dollars, in part because
cyber insurance policies cover some or all of the cost. She estimated that the
average payment is between $10 million and $15 million.
SHARE THIS ARTICLE
Copied
Follow the authors
@KartikayM
+ Get alerts forKartikay Mehrotra
@WilliamTurton
+ Get alerts forWilliam Turton
Have a confidential tip for our reporters?
Get in touch
Before it's here, it's on the
Bloomberg Terminal
Learn more
LIVE ON BLOOMBERG
Watch Live TVListen to Live Radio
Video Player is loading.
Play Video
Play
Unmute
Current Time 0:00
/
Duration 0:00
Loaded: 0%
0:00
Progress: 0%
Stream Type LIVE
Remaining Time -0:00
Playback Rate
1x
Chapters
* Chapters
Captions
* captions settings, opens captions settings dialog
* captions off, selected
Fullscreen
This is a modal window.
Beginning of dialog window. Escape will cancel and close the window.
TextColorWhiteBlackRedGreenBlueYellowMagentaCyanTransparencyOpaqueSemi-TransparentBackgroundColorBlackWhiteRedGreenBlueYellowMagentaCyanTransparencyOpaqueSemi-TransparentTransparentWindowColorBlackWhiteRedGreenBlueYellowMagentaCyanTransparencyTransparentSemi-TransparentOpaque
Font Size50%75%100%125%150%175%200%300%400%Text Edge
StyleNoneRaisedDepressedUniformDropshadowFont FamilyProportional
Sans-SerifMonospace Sans-SerifProportional SerifMonospace SerifCasualScriptSmall
Caps
Reset restore all settings to the default valuesDone
Close Modal Dialog
End of dialog window.
Play Again
Terms of Service Manage Cookies Trademarks Privacy Policy ©2022 Bloomberg L.P.
All Rights Reserved
Careers Made in NYC Advertise Ad Choices Help
You've reached your free article limit. Explore Offerscontinue