A novel ransomware attack forced US insurance giant CNA to take systems offline & temporarily shut its website. The attack occurred last week & used a new variety of the Phoenix Crypto Locker malware.
The incident, which forced the company to disconnect its systems, caused significant business disruption.
The Chicago-based company—the 7th largest commercial insurance provider in the world, commented it “sustained a sophisticated cyber-security attack” on Sun., Mar. 21, according to a statement on the home page of its website. The statement is the only function the company’s site currently shows.
“The attack caused a network disruption & impacted certain CNA systems, including corporate email,” according to the statement.
Though the company did not elaborate on the nature of the attack, a report in Bleeping Computer explained CNA was the victim of a new ransomware called Phoenix Crypto Locker. Crypto lockers are an often-used type of ransomware that immediately encrypt files on the machines they attack & demand a ransom from the victims in exchange for the key to unlocking them.
Phoenix Crypto Locker
Also, the threat players behind Phoenix Crypto Locker are likely known entities–the cyber-crime group Evil Corp, which recently resurfaced after taking a short hiatus from cyber-criminal activity, according to the report.
The impact of the group’s latest attack was so serious that CNA disconnected its systems from its network “out of an abundance of caution” & is currently providing workarounds for employees where possible, so the company can continue operating to serve its customers, the company outlined.
Sources familiar with the attack have told Bleeping Computer that threat players encrypted more than 15,000 devices on CNA’s network—including those of employees working remotely who were logged onto the company’s VPN at the time—when they deployed the new ransomware on Sun., according to the report.
Attackers encrypted devices by appending the .phoenix extension to encrypted files & creating a ransom note named PHOENIX-HELP.txt, according to Bleeping Computer.
Evil Corp has been in the sights of US authorities since 2019, when they offered up $5m for information leading to the arrest of Evil Corp leader Maksim V. Yakubets, 32, of Russia, who goes under the name “aqua” & is known for leading a lavish lifestyle.
The cyber-crime group has reaped millions from various bad activities, which previously included capturing banking credentials with the Dridex banking trojan & then making unauthorized electronic funds transfers from unknowing victims’ bank accounts.
Sources believe that Phoenix Crypto locker is a product of Evil Corp based on similarities in the code to previous ransomware used by the group, according to the report. In previous ransomware attacks—such as one against GPS technology provider Garmin last year–Evil Corp used Wasted Locker ransomware to encrypt victims’ files.
Restore its Systems
CNA aims to restore its systems using backup rather than pay the ransom demanded by attackers, according to Bleeping Computer. The company is currently in the middle of an ongoing investigation into the incident that started immediately after its discovery, the company stated.
“We have alerted law enforcement and will be cooperating with them as they conduct their own investigation,” the company observed.
CNA is unaware at this time if the incident impacted any customer data but will notify parties directly if this is found to be the case, according to the statement.
CNA also did not give a timeline for when its website & systems will be up & running in a fully operational way again. In the meantime, the company posted specific directions on its website for how its customers should contact the company during the time of disruption based on their various needs.