CNA Financial Corp. Paid $40 Million after the Phoenix CryptoLocker Attack

Published in

Spin.AI Ransomware Protection

3 min readMay 25, 2021

CNA, one of the largest commercial insurers in the U.S. was forced to pay $40 million for its security from the Phoenix CryptoLocker ransomware. It is believed to be the biggest cyberattack ransom paid in history. CNA Financial Corp. is based in Chicago and provides products and services to the United States, Canada, Europe, and Asia.

The attack was carried out in March, which led to the disconnection of CNA’s IT systems from the network to contain the threat and prevent further infection of additional systems. According to Bloomberg, the Phoenix CryptoLocker group is behind this attack. The goal of these cybercriminals is to immediately encrypt as much of the victim’s data as possible and demand a ransom for remediation.

Initially, CNA sought to restore their systems from backups rather than by paying the ransom. But a week later, the company decided to start negotiations with the hackers who demanded $60 million. Apparently, they agreed on a smaller amount and paid it a week after. The representatives of the company do not comment on this event, and only add that “CNA followed all laws and regulations and published instructions during solving this problem.”

Compared to 2019, in 2020 cybercriminals received about $350 million in total, an increase of 311%, according to the Chainalysis report. For example, in a recent attack on Colonial Pipeline, they had to pay $4.4 million. In attacks on Acer and Apple, the ransom amounts were equal to $50 million, but the actual payments are not known. The FBI does not recommend that victims pay such large ransoms, because it does not guarantee the return of data, but only motivates the attackers to request more and more amounts.

Let us take a look at the DarkSide traces and how SpinOne detects the attack.

The files encrypted by the Phoenix CryptoLocker: