CNA Inland and Ocean Marine Insurance hit by a ransomware attack in Chicago, IL, USA

Summary:

In the ransomware attack on CNA Inland and Ocean Marine Insurance in March 2021 the cybercrime group used a form of ransomware named "Phoenix CryptoLocker ransomware", a spin-off of another malware "Hades" created by Russian hacking organization Evil Corp (Malwarebytes Labs, 2021). The ransomware appended the .phoenix extension on to files to encrypted them and make them inaccessible. One of CNA's employees was able to download and execute a fake browser update after visiting a legitimate website. The attackers used “additional malicious activity” to get credentials they need to move forward. The threat actors “copied, compressed and staged unstructured data obtained from file shares found on three CNA virtual servers; and used MEGAsync, a legitimate tool, to copy some of the unstructured data (“Exported Data”) from the CNA environment directly into the threat actor’s cloud-based account (the “Mega Account”) hosted by Mega NZ Limited (“Mega”). The ransomware caused network disruption and impacted certain CNA system, including corporate email. The threat actors also were able to steal important and sensitive information affecting 75,349 individuals. A significant number of them were names of current and former employees plus their dependents and their Social Security Numbers (SSNs). On the other hand, a small number of those affected had their birth dates, benefit enrolment, and medical information. Due to the exposure of valuable assets the company paid the ransom of $40 million. The reason for this group to attack CNA, is because CNA is a big insurance firm with a huge annual revenue. That means the company must have more than enough money to pay a large ransom. Also this group constantly rebrands their ransomware to evade US sanctions that withholds victims to pay the ransom.  

Reference URL

https://insurancemarinenews.com/insurance-marine-news/cyber-attack-hits-insurer-cna/
https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack
https://blog.malwarebytes.com/ransomware/2021/07/cna-legal-filings-lift-the-curtain-on-a-phoenix-cryptolocker-ransomware-attack/
https://www.businessinsider.com/cna-financial-hackers-40-million-ransom-cyberattack-2021-5?international=true&r=US&IR=T
https://www.chicagotribune.com/business/ct-biz-cna-cyberattack-exposed-personal-information-20211102-2jle5opb65hczlpz6tifik6n2a-story.html
https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/cna-payment-40-million-dollars/