CNA shares details about ransomware attack, recovery effort

Major U.S. insurer CNA confirmed this week that it was the victim of a ransomware attack and that it has taken several steps on the road to recovery.

The company, one of the biggest players in cybersecurity insurance specifically, had previously acknowledged an attack, but stopped short of specifying exactly what kind. In an update on Thursday, the company said it had restored normal email operations after a ransomware attack, adding that it instituted multi-factor authentication and a security platform for detecting and blocking threats.

“Our team deployed additional endpoint detection and monitoring tools for an added layer of security and visibility across our network,” the update reads. “We expect that there will be a number of other remediation and infrastructure enhancements.”

The attack has proven a source of misery for the company since hackers hit on March 21.

Like other insurers, CNA would represent a tempting target for hackers aiming to gather policyholder information, then squeeze higher ransomware payments out of potential victims, as the attackers would know which CNA clients could afford to pay an extortion fee. CNA’s update did not say whether the company has determined if policyholder data was compromised.

The company did say, however, that it now believes it has the attack contained and has ascertained that the hackers and their ransomware lacked the ability to automatically move around in internal and external systems. Bleeping Computer reported that the Phoenix CryptoLocker ransomware was involved, possibly with links to a cybercriminal collective dubbed Evil Corp.

CNA said it was still communicating with regulators, law enforcement and outside forensics experts. CyberScoop has learned that CNA has enlisted help from CrowdStrike.