News Insights: Insurer CNA Paid Hackers $40M for Ransomware Decryption – MSSP Alert

News broke yesterday that insurance giant CNA paid $40 million in ransom after the attack it suffered in March – but that’s not the real news. Just a few days ago, CNA denied that it was a targeted attack…so why the payment? And what are the implications of giving the bad guys your money?

News Insights:

According to Charles Herring, CTO and Co-Founder of WitFoo, “CNA messaging on the March breach is starting to show some concerning cracks. While the May 12 update states ‘there is no indication that this was a targeted attack or that CNA or policyholder data was specifically targeted,’ the same article release states that are ‘conducting dark web scans and searches for CNA-related information and this time, we do not have evidence that data related to this attack is being shared or misused.’ CNA’s efforts to search the dark web show they believe it is possible (if not likely) that policy information left the network. If that was not a possibility, there would be no need to search the dark web.

The problem with CNA’s assessment is that this information is too valuable to sell on dark web markets. In the March interview by The Record of REvil’s Unknown, Unknown explains they (and other Ransomware as a Service providers) are targeting this type of ‘tasty morsel’ data. In my recent Dark Reading article, I review the pivot from opportunistic ransomware to targeted ransomware. The second point eroding CNA’s assertions is the reporting that unnamed sources at CNA confirm a $40M ransom was paid. Such a high ransom shows strong evidence that CNA was targeted (the criminals knew they could extort that large amount). It is also evidence that the pain of that data disclosure was significant to CNA.

On October 1, 2020 (ahead of the CNA attack) Department of Treasury issued guidance that ‘future ransomware payment demands but also may risk violating OFAC regulations.’ In the breaking story, a CNA spokesperson reports they complied with the law including the Treasury guidance. Such a statement cannot be reconciled with a $40M ransom payment. If the reporting is true, CNA felt deep enough pain to both lose the $40M and to violate the law. It is hard to fathom such action not being taken without policy data being at play. That combined with the declared intent by Unknown to get the data in March make it increasingly difficult to believe CNA’s rosy explanation of events. The terrifying implication is not limited to the reputation of CNA. The major issue is ransomware criminals likely have a menu of targets and payouts from the data lost at CNA.”