Insurance giant, CNA had to shut down its systems and temporarily close its website due to a novel ransomware attack. A new version of the Phoenix CryptoLocker malware was used in the attack, which happened earlier this week. The attack is believed to be linked to the Evil Corp hacking group.
CNA, a Chicago-based company is the seventh-largest commercial insurance provider in the world. According to a statement published on the home page of the website on Sunday, March 21, the company affirmed that they have “sustained a sophisticated cybersecurity attack”. “The attack caused a network disruption and impacted certain CNA systems, including corporate email,” they added.
Though CNA was the target of recent ransomware named Phoenix CryptoLocker, according to a report, the organization did not comment on the nature of the incident. CryptoLockers are a common form of ransomware that encrypts files on the computers it infects and demands a ransom from the victims in return for the key to decrypt them.
As per the report, the cybercriminals behind Phoenix CryptoLocker are probably well-known groups, such as the cybercrime group Evil Corp, which lately reappeared after a short break from cybercrime. The effect of the group's most recent attack was so extreme that CNA detached its systems from its network "out of an abundance of caution" and is now offering workarounds for employees wherever possible so that the company can continue to service its customers, according to the company. The ransomware apparently encrypted data on over 15,000 machines on CNA's company network, as well as remote-working employees' computers who were connected to the company's VPN at the time of the attack.
The ransomware appended ‘the.phoenix’ extension to encrypted files and generated a ransom note called ‘PHOENIX-HELP.txt’ while encrypting computers. Even though sources said CNA will restore from backups, the company has not verified anything.
According to the report, based on similarities in the code from former ransomware used by Evil Corp, sources assume Phoenix CryptoLocker is a result of the same community. Evil Corp utilized WastedLocker ransomware to encrypt victims' files in past ransomware threats, such as the one against GPS technology provider Garmin last year. Indeed, the cybercriminal organization has made millions of dollars through several nefarious operations, including stealing banking credentials with the Dridex banking trojan and then making illicit money transfers from unsuspecting victims' bank accounts.
The attack on CNA could also have a huge impact on certain businesses, particularly those who have cyber insurance policies with the organization. Hacking the insurer's network and stealing insurance details about their customers couldn't have been a better way to generate a list of insured companies to strike. It's uncertain if the cybercriminals stole unsecured files before encrypting CNA's devices at this point. However, since ransomware operations have made stealing unencrypted data a standard technique, it's possible that some data was stolen during the attack.
