Record Setting $40M Ransom Paid to Attackers

CNA, one of the largest U.S. commercial and casualty insurance companies, reportedly met a $40 million ransom demand after suffering a ransomware infection earlier in the year. As of this writing, that’s the largest ransom demand ever reported to have been paid by a company following a ransomware attack.

According to Bloomberg, CNA paid the ransom demand two weeks after attackers stole its data and encrypted its network. A spokeswoman for the company said that CNA had consulted the FBI and the Treasury Department’s Office of Foreign Assets Control (OFAC) about the attack, but they didn’t provide any additional details about the ransom payment.

“CNA is not commenting on the ransom,” a company spokesperson told Bloomberg. “CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”

In October 2020, OFAC announced that it could impose civil penalties on U.S. persons in the event they made payment to prohibited entities based on sanction laws and other regulations, including groups who’ve authored and distributed ransomware.

OFAC went on to clarify that those penalties operate under strict liability. This means that it can hold U.S. persons liable even if they don’t know that the recipient of their payment is a sanctioned individual or entity.

The insurance company launched an investigation into the attack and learned that a threat group called Phoenix had used Phoenix Cryptolocker ransomware to disrupt its network. This group was not subject to U.S. sanctions at the time that CNA submitted payment, per Bloomberg’s reporting.

Bloomberg’s sources explained that CNA initially ignored the attackers’ demands but decided to start negotiations a week after the initial infection. At that time, the threat group was demanding a $60 million ransom payment. 

A Look at the Ransomware Attack

The insurance company first disclosed that it had suffered a cybersecurity incident in late-March 2021. It stated that it had notified law enforcement, disconnected its systems from its network and hired a third-party forensics company to investigate the attack. 

A week passed before CNA published an update on its website in which it noted that it had suffered a ransomware attack. It went on to explain that it had contained the attack and had restored email functionality as part of an effort to resume normal business operations.

It was two weeks later when CNA revealed that it had deployed endpoint detection and monitoring tools throughout its environment as part of its ongoing restoration process. A month after that, the company shared that it had determined the scope of the data affected by the attack and that it was evaluating its legal obligations regarding that information.

What This Attack Means for Organizations

I sat down with Sam Curry, CSO at Cybereason, to help put the news of CNA’s payment into context. Our conversation is replicated below:

Colonial, Apple, CNA and others have all been hit with ransomware in the past few months. Do you feel defenders are losing ground to adversaries?

Bluntly, yes. The data is irrefutable. We can reverse the asymmetry in cyber conflict, but it isn’t going to be done with more certifications or another audit. Prepare now, hold a tabletop exercise, practice your recovery, upgrade prevention controls and have a detection strategy leveraging Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR).

Speaking of EDR, Gartner reported recently that only 40% percent of companies use EDR on their endpoints. It also said that EDR can help to stop ransomware. Are you surprised the percentage is low? Why are 60% of companies not using EDR?

No, this isn’t a surprise. It’s reflected in market sizes: EDR is newer to market than its parent, Endpoint Protection (EPP). There have been significant advances in EPP to better prevent ransomware at the point of detonation, but quality EDR is the ransomware killer that can counter its proliferation and foil attackers.

What about when companies feel the pressure to pay a ransom? Do you feel broader action should be taken? For instance, how do you feel about Congress passing legislation that would make it illegal for companies to meet ransomware actors’ demands?

This is a dangerous thing to enforce across the board. If legislation passes here, there must be ethical guidelines on when it isn’t illegal—for instance, the control systems for a nuclear power plant or a large hospital system with patients in surgery. This shouldn’t be rushed if we are to avoid bayoneting the wounded, increasing suffering and simply making it worse for victims. 

Cutting off the bad guys’ revenues is great - ransomware is a business model, after all. But that should only come after ensuring that pain for the general public and the private sector is minimized or optimally reduced. It wouldn’t hurt to have a little carrot and stick, as well, to encourage the right behaviors in peacetime rather than just forbidding payment when under duress.

Okay. So, where does that leave organizations?

The teaching moment here is that it’s time to prepare: build resilience, ensure recovery, get the contingencies right. Lastly, beef up anti-ransomware controls—in particular, multi-layer anti-ransomware prevention and a strong detection strategy to catch ransomware prior to detonation - this is where Cybereason excels, as evidenced in the recent MITRE ATT&CK evaluations where we achieved a 100% protection score.

David Bisson
About the Author

David Bisson

David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence and Tripwire's The State of Security Blog, and he's a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.

All Posts by David Bisson