Insurance Giant CNA Hit with Novel Ransomware Attack
Reading Time: 1 Minute
A novel ransomware attack forced insurance giant CNA to take systems offline and temporarily shutter its website. The attack leveraged a new variant of the Phoenix CryptoLocker malware.
The Chicago-based company—the seventh largest commercial insurance provider in the world—said it “sustained a sophisticated cybersecurity attack” on Sunday, March 21, according to a statement on the home page of its website. The statement is the only functionality the company’s site currently maintains.
“The attack caused a network disruption and impacted certain CNA systems, including corporate email,” according to the statement.
Though the company did not elaborate on the nature of the attack, a report in BleepingComputer said CNA was the victim of a new ransomware called Phoenix CryptoLocker. Cryptolockers are an oft-used type of ransomware that immediately encrypt files on the machines they attack and demand a ransom from the victims in exchange for the key to unlocking them.
Moreover, the threat actors behind Phoenix CryptoLocker are likely known entities–the cybercrime group Evil Corp, which recently resurfaced after taking a short hiatus from cybercriminal activity, according to the report.
The impact of the group’s latest attack was so serious that CNA disconnected its systems from its network “out of an abundance of caution” and is currently providing workarounds for employees where possible so the company can continue operating to serve its customers, the company said.
Sources familiar with the attack have told BleepingComputer that threat actors encrypted more than 15,000 devices on CNA’s network—including those of employees working remotely who were logged onto the company’s VPN at the time—when they deployed the new ransomware on Sunday, according to the report.
Attackers encrypted devices by appending the .phoenix extension to encrypted files and creating a ransom note named PHOENIX-HELP.txt, according to BleepingComputer.
Evil Corp has been in the crosshairs of U.S. authorities since 2019, when they offered up $5 million for information leading to the arrest of Evil Corp leader Maksim V. Yakubets, 32, of Russia, who goes under the moniker “aqua” and is known for leading a lavish lifestyle.
Indeed, the cybercrime group has reaped millions from various nefarious activities, which previously included capturing banking credentials with the Dridex banking trojan and then making unauthorized electronic funds transfers from unknowing victims’ bank accounts.
See Also: Information Security Tool: Chameleon
CNA also did not give a timeline for when its website and systems will be up and running in a fully operational way again. In the meantime, the company posted specific directions on its website for how its customers should contact the company during the time of disruption based on their various needs.
Source: https://threatpost.com
(Click Link)