Cybersecurity: Insurance giant pays hackers $40m to unencrypt systems after ransomware attack

*CNA Financial says insurance policyholders’ data was not affected by the cyberattack on its systems

*The United States Treasury Department warns that individuals or companies facilitating payments to ransomware extortionists could be fined as much as $20million

Gbenga Kayode | ConsumerConnect

Following a week of negotiation towards unencrypting its systems after ransomware attack, CNA Financial reportedly paid hackers $40 million in order to regain control of its systems containing policyholders’ data.

The cybercriminals, who carried out the attack on the Chicago-based insurance industry giant initially demanded $60 million, Bloomberg report said.

However, after about a week of negotiations, the insurance firm ultimately paid the hackers $40 million March 2021.

It was gathered though the United States (US) law enforcement agencies do not recommend paying ransoms because it could encourage hackers to ask for increasingly larger sums, a CNA spokesperson said the company followed the law during the process.

Spokeswoman Cara McCall said: “CNA is not commenting on the ransom.

“CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”

In stressing that the policyholders’ data was not affected in the rasomware attack on its systems, the CNA in a security update May 12 said it had no reason to believe its policyholders’ data was affected by the attacker activity.

The company disclosed that immediately after detecting the ransomware, it disconnected its systems from its network to contain the threat and prevent additional systems from being affected.

The company stated: “As a result of our efforts, we are confident that the Threat Actor has not accessed the CNA environment since the ransomware event.

“We have no evidence to indicate that external customers were potentially at risk of infection due to the incident.”

Citing three people familiar with CNA’s negotiations, the ransomware used against CNA was a derivative of another piece of malware called Hades, according to report.

The report further noted that “Hades was created by a Russian cybercrime syndicate known as Evil Corp., according to cybersecurity experts.

“Evil Corp. was sanctioned by the US in 2019. However, attributing attacks can be difficult because hacking groups can share code or sell malware to one another.”

The sum paid to the hackers reportedly ranks as one of the highest ransom payments to date.

ConsumerConnect reports that ransomware victims could be fined by the government for making payments to hackers.

In regard to the new Treasury Department’s guidelines, the practice could lead to multimillion penalties for those who pay off cybercriminals.

The Treasury Department in an advisory published Thursday, May 20 warned that individuals or companies that facilitate payments to ransomware extortionists could be fined by the US Government.

Under its new guidelines, the Treasury Department said facilitating these payments could be in violation of anti-money laundering and sanctions regulations in cases where a group or hackers is either sanctioned by the US Treasury or has ties to a cybercrime group that is sanctioned.

Huge fines of up to $20 million could be incurred by firms or people that facilitate these payments.

“Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that US persons rely on to continue conducting business,” said the Treasury’s Office of Foreign Assets Control (OFAC).

OFAC stated: “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

The penalty could be handed down even if the company or individual was unaware that it was engaging or transacting with a sanctioned entity. Before deciding to make any sort of payment, ransomware victims are urged to contact the OFAC.

The agency said: “OFAC encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus.”

Kindly Share This Story