CNA Financial, one of the biggest insurance companies in the US, reportedly forked over $40 million in ransom after it was hit by a cyberattack in late March.
The Chicago-based company was locked out of its network and decided to pay the hackers after about two weeks, Bloomberg News reported, citing two people with knowledge of the attack.
A CNA spokeswoman confirmed to Bloomberg that the cyberattack occurred, but declined to comment on the ransom.
The spokeswoman said the company shared information about the attack and the hackers with the FBI and the Treasury Department’s Office of Foreign Assets Control, which said last year that facilitating ransom payments to hackers could pose sanctions risks.
“CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter,” the spokeswoman, Cara McCall, told Bloomberg.
CNA, which offers cyber insurance, said it believed the hackers behind the cyberattack were a group called Phoenix, according to Bloomberg. The $40 million ransom is larger than any previously disclosed payment to hackers, the report said.
Ransomware is a malicious software that locks up a user’s data. Hackers typically demand money to unlock or return the affected data.
The disclosure of the attack on CNA comes just weeks after the hacking of Colonial Pipeline by Russia-based cybergang DarkSide. That hacking shuttered the biggest oil pipeline in the US and spurred panic buying and gas shortages across the Southeast.
Colonial paid DarkSide a ransom of $4.4 million, CEO Joseph Blount said. The FBI has long advised companies not to pay when hit by ransomware.
The FBI says that paying ransom creates incentives for more attacks and supports criminal gangs.
The multiple attacks and the scale of the payments the hackers demanded underscore the degree to which ransomware attacks have proliferated in recent years.
Ransomware payments rose to a staggering $350 million last year, up 311 percent compared with the year prior, according to a task-force of security experts and law enforcement agencies.
That group delivered 48 recommendations on how the Biden administration and private companies could shore up cybersecurity.
The 81-page report, prepared by the Institute for Security and Technology, was delivered to the White House days before Colonial Pipeline hacking.