Insurance Firm CNA Financial Reportedly Paid Hackers $40 Million in Ransom
U.S. insurance giant CNA Financial reportedly paid $40 million to a ransomware gang to recover access to its systems following an attack in March, making it one the most expensive ransoms paid to date.
The development was first reported by Bloomberg, citing
"people with knowledge of the attack." The adversary that staged the
intrusion is said to have allegedly demanded $60 million a week after the
Chicago-based company began negotiations with the hackers, culminating in the
payment two weeks following the theft of company data.
In a statement shared on May 12, CNA Financial said it had
"no evidence to indicate that external customers were potentially at risk
of infection due to the incident."
The attack has been attributed to new ransomware known as
'Phoenix CryptoLocker,' according to a March report from Bleeping Computer,
with the strain believed to be an offshoot of WastedLocker and Hades, both of
which have been utilized by Evil Corp, a Russian cybercrime network notorious
for launching ransomware attacks against several U.S. entities, including
Garmin, and deploying JabberZeus, Bugat and Dridex to siphon banking
credentials.
In December 2019, U.S. authorities sanctioned the hacking
group and filed charges against Evil Corp's alleged leaders Maksim Yakubets and
Igor Turashev for developing and distributing the Dridex banking Trojan to
plunder more than $100 million over a period of 10 years. Law enforcement
agencies also announced a reward of up to $5 million for providing information
that could lead to their arrest. Both the individuals remain at large.
The development comes amid a sharp uptick in ransomware
incidents, in part fueled by the pandemic, with the average ransom payment
witnessing a massive 171% increase year-over-year from $115,123 in 2019 to
$312,493 in 2020. Last year also saw the highest ransomware demand growing to
$30 million, not to mention the total amount paid by victims skyrocketing to
$406 million, based on conservative estimates.
CNA Financial's $40 million ransom only shows that 2021
continues to be a great year for ransomware, potentially emboldening
cybercriminal gangs to seek bigger payouts and advance their illicit aims.
According to an analysis by ransomware recovery firm
Coveware, the average demand for a digital extortion payment shot up in the
first quarter of 2021 to $220,298, up 43% from Q4 2020, out of which 77% of the
attacks involved the threat to leak exfiltrated data, an increasingly prevalent
tactic known as double extortion.
While the U.S. government has routinely advised against
paying ransoms, the high stakes associated with data exposure have left victims
with little choice but to settle with their attackers. In October 2020, the Treasury
Department issued a guidance warning of penalties against companies making
ransom payments to a sanctioned person or group, prompting ransomware
negotiation firms to avoid cutting a deal with blocked groups such as Evil Corp
to evade legal action.
"Companies that facilitate ransomware payments to cyber
actors on behalf of victims, including financial institutions, cyber insurance
firms, and companies involved in digital forensics and incident response, not
only encourage future ransomware payment demands but also may risk violating
[Office of Foreign Assets Control] regulations," the department said.
The surge in ransomware attacks has also had an impact on
the cyber insurance industry, what with AXA announcing earlier this month that
it will stop reimbursing clients in France should they opt to make any
extortion payments to ransomware cartels, underscoring the dilemma that
"insurance firms grapple with successfully underwriting ransomware
policies while confronted with rising payout costs that threaten
profitability."
To defend against ransomware attacks, it's recommended to
secure all modes of initial access exploited by threat actors to infiltrate
networks, maintain periodic data backups, and keep an appropriate recovery
process in place.
"Organizations should maintain user awareness and
training for email security as well as consider ways to identify and remediate
malicious email as soon as it enters an employee's mailbox," Palo Alto
Networks' Unit 42 researchers said.
"Organizations should also ensure they conduct proper
patch management and review which services may be exposed to the internet.
Remote desktop services should be correctly configured and secured, using the
principle of least privilege wherever possible, with a policy in place to detect
patterns associated with brute-force attacks."
Comments
Post a Comment