U.S. insurance company CNA Financial reportedly paid $40 million to a ransomware group to regain access to its systems after a cyberattack in March, marking one of the largest known ransom payments to date.
The payment was first reported by Bloomberg, which cited people familiar with the incident. According to the report, the attackers initially demanded $60 million after negotiations began. The final payment was made roughly two weeks after company data was stolen.
In a public update issued on May 12, CNA Financial said it had found no evidence that the incident put external customers at risk of infection.
The attack has been linked to a ransomware strain known as Phoenix CryptoLocker. Researchers believe the malware is related to WastedLocker and Hades, ransomware families previously associated with the Russian cybercrime group Evil Corp.
Evil Corp has a long history of targeting U.S. organizations and has been connected to several high-profile ransomware attacks, including the 2020 attack on Garmin. The group is also known for using malware such as JabberZeus, Bugat, and Dridex to steal banking credentials.
In December 2019, U.S. authorities sanctioned Evil Corp and charged alleged leaders Maksim Yakubets and Igor Turashev. Prosecutors accused them of developing and distributing the Dridex banking trojan, which was used to steal more than $100 million over a decade. Both remain at large, and U.S. authorities have offered rewards of up to $5 million for information leading to their arrest.
The CNA incident comes as ransomware attacks continue to rise sharply. According to industry data, the average ransom payment increased 171% year over year, from $115,123 in 2019 to $312,493 in 2020. The largest single ransom demand recorded last year reached $30 million, while total payments to ransomware groups climbed to $406 million based on conservative estimates.
CNA Financial’s $40 million payment underscores how 2021 has continued to favor ransomware operators, potentially encouraging gangs to demand higher payouts and pursue larger targets.
An analysis by ransomware recovery firm Coveware found that the average ransom demand rose to $220,298 in the first quarter of 2021, up 43% from the previous quarter. The report noted that 77% of attacks involved threats to leak stolen data, a tactic commonly referred to as double extortion.
Although U.S. officials routinely advise organizations not to pay ransoms, the threat of public data exposure has left many victims feeling pressured to comply. In October 2020, the Treasury Department issued guidance warning that payments made to sanctioned individuals or groups could result in penalties.
“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and incident response companies, not only encourage future attacks but may also risk violating OFAC regulations,” the department said.
The surge in ransomware has also affected the cyber insurance market. Earlier this month, AXA announced it would stop reimbursing ransomware payments for customers in France. The move highlights growing concerns among insurers over rising claim costs and long-term sustainability.
A recent report from the U.S. Government Accountability Office found that demand for cyber insurance has driven premiums higher and reduced coverage. The total amount of direct premiums written increased by 50% between 2016 and 2019, from $2.1 billion to $3.1 billion.
“The increasing frequency and severity of cyberattacks, especially ransomware, have led insurers to reduce coverage limits for higher-risk sectors such as healthcare, education, and public entities,” the GAO noted.
Security experts continue to stress that organizations should focus on reducing initial access opportunities, maintaining reliable backups, and ensuring recovery plans are tested and up to date.
“Organizations should prioritize employee awareness around email security and ensure malicious messages are identified and addressed quickly,” researchers noted, adding that exposed services should be reviewed regularly and protected using least-privilege access and monitoring for brute-force activity.
