Insurance Giant CNA Went Offline Following A Ransomware Attack

The latest victim of a ransomware attack is the American insurance giant CNA Financial. The firm fell prey to novel ransomware, which compelled them to go offline following the incident.

CNA Insurance Hit By Ransomware Attack

Reportedly, CNA Financials has recently suffered a devastating cyber attack. CNA is the seventh-largest commercial insurance firm in the US with a huge customer base.

The news surfaced online after the firm pulled its website offline while replacing the entire content with a single notice.

CNA website’s security notice (Image: LHN)

As the company revealed, CNA suffered a ‘sophisticated cyber attack’ on March 21, 2021. The incident not only disrupted the firm’s network but also affected the corporate email and other systems.

Following the incident, CNA took its systems offline, including the unaffected ones, out of caution. Whereas, they also involved cybersecurity experts and law enforcement to investigate the matter.

Although, CNA hasn’t specifically explained the kind of cyber attack it suffered. However, Bleeping Computer has confirmed that CNA suffered a ransomware attack.

Phoenix Cryptolocker Ransomware Suspected

According to Bleeping Computer, CNA has fallen prey to the Phoenix Cryptolocker ransomware. The threat actors succeeded in encrypting over 15,000 devices on the company’s network. The affected systems also included the ones belonging to remote working staff who were connected to the firm’s VPN.

As for the threat actors, the malware supposedly belongs to the Evil Corp gang who also operated the WastedLocker ransomware.

The same group also operates the Hades ransomware after facing sanctions by the US government, according to Crowdstrike analysis. Hades is also actively targeting different firms, including the Forward Air freight company.

Regarding the connection between Phoenix and Evil Corp, CNA provided the following statement to Bleeping Computer.

The threat actor group, Phoenix, responsible for this attack, is not a sanctioned entity and no U.S. government agency has confirmed a relationship between the group that attacked CNA and any sanctioned entity. We have notified the FBI of this incident and are actively cooperating with them as they conduct their investigation of the incident.

While CNA may consider restoring their data from the backups, no concrete information is yet available in this regard.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients