TeamHood Chicago-based CNA Financial is the sixth-largest in the insurance firm in US. On March 21, the firm revealed it sustained a sophisticated cyber security attack using a new variant ransomware called Phoenix CryptoLocker that is possibly linked to the Evil Corp hacking group.
“The attack caused a network disruption and impacted certain CNA systems, including corporate email,” the company statement read.
“Upon learning of the incident, we immediately engaged a team of third-party forensic experts to investigate and determine the full scope of this incident, which is ongoing. We have alerted law enforcement and will be cooperating with them as they conduct their own investigation.”
It added that it disconnected systems from its network, “out of an abundance of caution,” notified employees, and provided workarounds where possible to ensure they can continue operating.
“The security of our data and that of our insureds ’and other stakeholders is of the utmost importance to us. Should we determine that this incident impacted our insureds’ or policyholders’ data, we’ll notify those parties directly,” said the company.
When encrypting devices, the ransomware appended the .phoenix extension to encrypted files and created a ransom note named PHOENIX-HELP.txt
Conducting attacks on companies with cyberinsurance policies are often lucrative for ransomware gangs as the insurance companies may be more likely to pay the ransom.
There could be no better way to create a list of insured companies to target than to hack an insurer’s network and steal policy information about their customers.
It is still not known whether the threat actors stole unencrypted files before encrypting CNA’s devices.
