Search This Blog

Showing posts with label CNA. Show all posts

After a Ransomware Attack, CNA Reports a Data Breach


Following a Phoenix CryptoLocker ransomware attack in March, CNA Financial Corporation, a leading US-based insurance firm, is notifying clients of a data breach. According to the Insurance Information Institute, CNA is the seventh-largest commercial insurance company in the United States. Individuals and corporations in the United States, Canada, Europe, and Asia can purchase a wide range of insurance products from the company, including cyber insurance coverage. 

"The investigation revealed that the threat actor accessed certain CNA systems at various times from March 5, 2021 to March 21, 2021," CNA said in breach notification letters mailed to affected customers on 9th July. "During this time period, the threat actor copied a limited amount information before deploying the ransomware." According to breach information filed with Maine's Attorney General's office, the data breach reported by CNA affected 75,349 people. 

CNA realized that the data stolen during the assault contained personal information such as names and Social Security numbers after evaluating them. "Having recovered the information, we have now completed our review of that information and have determined it contained some personal information including name, Social Security number and in some instances, information related to health benefits for certain individuals," CNA explained in a separate incident update.

"The majority of individuals being notified are current and former employees, contract workers, and their dependents." The corporation went on to say that there was no evidence that the stolen data was "viewed, retained, or shared." Furthermore, CNA states that there is no reason to believe that the stolen data has been or will be exploited in any way. CNA also said, "CNA will be offering 24 months of complimentary credit monitoring and fraud protection services through Experian. CNA is also providing a toll-free hotline for the individuals to call with any questions regarding the incident." 

According to sources acquainted with the incident, the Phoenix CryptoLocker operators encrypted approximately 15,000 devices on CNA's network after spreading ransomware payloads on March 21. The attackers encrypted the machines of remote workers who were logged into the company's VPN during the incident, according to BleepingComputer. 

Phoenix Locker is thought to be a new ransomware family designed by the Evil Corp hacking gang to dodge sanctions after victims of the WastedLocker ransomware refused to pay ransoms to avoid legal action or fines. "The threat actor group, Phoenix, responsible for this attack, is not a sanctioned entity and no U.S. government agency has confirmed a relationship between the group that attacked CNA and any sanctioned entity," the company said.

CNA Hit by a Phoenix CryptoLocker Ransomware Attack


Insurance giant, CNA had to shut down its systems and temporarily close its website due to a novel ransomware attack. A new version of the Phoenix CryptoLocker malware was used in the attack, which happened earlier this week. The attack is believed to be linked to the Evil Corp hacking group. 

CNA, a Chicago-based company is the seventh-largest commercial insurance provider in the world. According to a statement published on the home page of the website on Sunday, March 21, the company affirmed that they have “sustained a sophisticated cybersecurity attack”. “The attack caused a network disruption and impacted certain CNA systems, including corporate email,” they added. 

Though CNA was the target of recent ransomware named Phoenix CryptoLocker, according to a report, the organization did not comment on the nature of the incident. CryptoLockers are a common form of ransomware that encrypts files on the computers it infects and demands a ransom from the victims in return for the key to decrypt them. 

As per the report, the cybercriminals behind Phoenix CryptoLocker are probably well-known groups, such as the cybercrime group Evil Corp, which lately reappeared after a short break from cybercrime. The effect of the group's most recent attack was so extreme that CNA detached its systems from its network "out of an abundance of caution" and is now offering workarounds for employees wherever possible so that the company can continue to service its customers, according to the company. The ransomware apparently encrypted data on over 15,000 machines on CNA's company network, as well as remote-working employees' computers who were connected to the company's VPN at the time of the attack. 

The ransomware appended ‘the.phoenix’ extension to encrypted files and generated a ransom note called ‘PHOENIX-HELP.txt’ while encrypting computers. Even though sources said CNA will restore from backups, the company has not verified anything. 

According to the report, based on similarities in the code from former ransomware used by Evil Corp, sources assume Phoenix CryptoLocker is a result of the same community. Evil Corp utilized WastedLocker ransomware to encrypt victims' files in past ransomware threats, such as the one against GPS technology provider Garmin last year. Indeed, the cybercriminal organization has made millions of dollars through several nefarious operations, including stealing banking credentials with the Dridex banking trojan and then making illicit money transfers from unsuspecting victims' bank accounts. 

The attack on CNA could also have a huge impact on certain businesses, particularly those who have cyber insurance policies with the organization. Hacking the insurer's network and stealing insurance details about their customers couldn't have been a better way to generate a list of insured companies to strike. It's uncertain if the cybercriminals stole unsecured files before encrypting CNA's devices at this point. However, since ransomware operations have made stealing unencrypted data a standard technique, it's possible that some data was stolen during the attack.