CNA paid $40 million cyber ransom – reports

CNA Financial paid $40 million to hackers to regain control of its computer systems after it suffered a ransomware attack in March, according to a report from Bloomberg.

According to Bloomberg, the insurer initially ignored the cyber criminals’ demand for a $60 million ransom but started negotiations within a week.

CNA declined to say whether it paid a ransom but noted that the group that carried out the attack was not on the US government’s list of sanctioned entities that it was prohibited from dealing with.

In a statement, the insurer said: “CNA is not commenting on the ransom, but the company did consult and share intelligence with the FBI and OFAC [Office of Foreign Assets Control] regarding the cyber incident and the threat actor’s identity.”

“CNA followed all laws, regulations and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter. Due diligence efforts concluded that the threat actor responsible for the attack is a group called Phoenix. Phoenix is not on any prohibited party list and is not a sanctioned entity.”

The report comes in the same week that Colonial Pipeline’s CEO acknowledged that his company paid a multi-million ransom to cyber-criminals.

Speaking to the Wall Street Journal, Joseph Blount justified the $4.4 million payment by saying that executives were unsure how badly its systems were breached or how long it would take to restore the pipeline.

The 5,500-mile Colonial Pipeline Co system was closed last week after one of the most disruptive cyberattacks on record, preventing millions of barrels of gasoline, diesel and jet fuel from flowing to the East Coast from the Gulf Coast.

Blount told the WSJ he paid the extortion money for the greater good:

“I know that’s a highly controversial decision,” Blount was quoted as saying. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this.”

Blount said the decision had been “the right thing to do for the country.”

CAN did not immediately respond to request for comment from Emerging Risks.