CNA Financial Had Reportedly Agreed to Pay the $40 Million Ransom to Restore Access to Its Systems Following a Ransomware Attack.
CNA Financial is one of the largest insurance companies in the United States. The company had reportedly agreed to pay the $40 million ransom to restore access to its systems following a ransomware attack.
It looks like the hackers used malware called Phoenix Locker, a malware that is a variant of the ransomware dubbed ‘Hades’ which was created by the Russian cybercrime syndicate known as Evil Corp.
According to Bloomberg, the $40 million payment was paid out just two weeks after the ransomware attack crippled CNA Financial’s networks.
The fact that the company decided to go ahead and pay is likely to get noticed as a setback when talking about cybersecurity threats and the right way to handle them as lawmakers and regulators are already unhappy with the fact that U.S. companies are making payouts to criminal hackers.
A CNA spokesperson said that the insurance firm will not be commenting regarding the ransom as CNA “followed all laws, regulations, and published guidance” while handling the cyberattack, and even consulted with the FBI and Office of Foreign Assets Control.
In what’s still regarded as the biggest ransomware attack to date–and a classic example of how cyber extortionists have changed tactics–the 2017 WannaCry malware unleashing caused worldwide chaos in one weekend by disabling systems used by more than 300,000 victims in 150 countries.
No attacks of that magnitude have since followed.
Ransomware Threats Continue to Increase
Ransomware demands have increased exponentially in the last six months, according to Melissa Hathaway, president of Hathaway Global Strategies and a former cybersecurity adviser to Presidents George W. Bush and Barack Obama.
The average ransom demand is now between $50 million and $70 million, Hathaway said. While those demands are often negotiated down, she said companies are frequently paying ransoms in the tens of millions of dollars, in part because cyber insurance policies cover some or all of the cost. She estimated that the average payment is between $10 million and $15 million.