CNA Hardy allegedly paid $40m to ransomware attackers

Commercial insurance provider CNA Hardy has allegedly paid out $40m (around £28m) to its ransomware attackers.

According to Bloomberg, the Chicago-based company paid hackers two weeks after CNA officials were blocked from the network and its data was stolen - this was confirmed by unnamed sources at the insurance provider.

However, on 12 May 2021, CNA Hardy released a statement providing updated details. 

The statement said: ”We continue to progress our investigation into this incident, in partnership with the third-party forensic experts working to assist CNA.

”We are pleased that in a short time since the ransomware event, we are now operating in a fully restored state.

”Investigation Update: We have been working diligently with our third-party experts to determine what happened during the course of this attack.”

The statement added that the investigation is ongoing, but the following information can be shared: 

• CNA’s forensic investigation and root cause determination have revealed no indication that this was a targeted attack or that CNA or policyholder data was specifically targeted by the threat actor.
• On 21 March 2021, CNA detected the ransomware and took immediate action by proactively disconnecting its systems from its network to contain the threat and prevent additional systems from being affected.
• All attacker activity happened in March 2021 and prior to 21 March specifically. 
• As a result of the company’s actions, it is confident that the threat actor has not accessed the CNA environment since the ransomware event. 
• CNA has no evidence to indicate that external customers were potentially at risk of infection due to the incident.

Speaking on this news, Charles Herring, chief technology officer and co-founder of software firm WitFoo, said: “CNA messaging on the March breach is starting to show some concerning cracks.”

For example, while the 12 May update stated that ”there is no indication that this was a targeted attack or that CNA or policyholder data was specifically targeted”, the statement also noted that “CNA has been conducting dark web scans and searches for CNA-related information and at this time, we do not have any evidence that data related to this attack is being shared or misused”.

CNA Hardy was hit by a “sophisticated” ransomware attack in March earlier this year, which impacted its operations and email system.

Terrifying implication

Herring continued: “CNA’s efforts to search the dark web show they believe it is possible (if not likely) that policy information left the network. If that was not a possibility, there would be no need to search the dark web. The problem with CNA’s assessment is that this information is too valuable to sell on dark web markets.”

He pointed out a potential change “from opportunistic ransomware to targeted ransomware”.

“Such a high ransom shows strong evidence that CNA was targeted - the criminals knew they could extort that large amount. It is also evidence that the pain of that data disclosure was significant to CNA,” Herring added.

In terms of the scope of the attack, the aforementioned statement from CNA Hardy continued: ”Our investigation identified the scope of impacted data in the incident, as well as the servers on which the data resided. We are reviewing the impacted data to determine the contents using both technology and a manual review.

”We will continue to work quickly and diligently so that we may assess our legal obligations, including any notification obligations to policyholders and impacted individuals.”

Meanwhile on 1 October 2020, the US Department of Treasury issued guidance that “future ransomware payment demands may risk violating Office of Foreign Assets Control (OFAC) regulations”, Herring said.

“The terrifying implication is not limited to the reputation of CNA. The major issue is ransomware criminals likely [having] a menu of targets and pay outs from the data lost at CNA.”

Insurance Times has contacted CNA Hardy for comment.