article featured image


CNA Financial is one of the largest insurance companies in the United States. The company had reportedly agreed to pay the $40 million ransom to restore access to its systems following a ransomware attack.

In March a “sophisticated cybersecurity attack” that caused “network disruption and impacted certain CNA systems” was detected.

The website started showing a message that stated they are “currently experiencing a network disruption that is impacting some of our systems. We are working to address these issues to minimize the disruption to you.”

On March 21, 2021, CNA determined that it sustained a sophisticated cybersecurity attack. The attack caused a network disruption and impacted certain CNA systems, including corporate email.

 Upon learning of the incident, we immediately engaged a team of third-party forensic experts to investigate and determine the full scope of this incident, which is ongoing. We have alerted law enforcement and will be cooperating with them as they conduct their own investigation.

 Out of an abundance of caution, we have disconnected our systems from our network, which continue to function. We’ve notified employees and provided workarounds where possible to ensure they can continue operating and serving the needs of our insureds and policyholders to the best of their ability.

 The security of our data and that of our insureds’ and other stakeholders is of the utmost importance to us and we are committed to continuing to serve them as we work to resolve this issue. Should we determine that this incident impacted our insureds’ or policyholders’ data, we’ll notify those parties directly.


In May, the insurance company declared that third-party cyber forensic experts were investigating the incident, revealing that the ransomware group appears to have conducted all of its activities prior to March 21 has not accessed the CNA environment since, this meaning that after finding the breach, DNA isolated and secured the incident.

It looks like the hackers used malware called Phoenix Locker, a malware that is a variant of the ransomware dubbed ‘Hades’ which was created by the Russian cybercrime syndicate known as Evil Corp.

According to Bloomberg, the $40 million payment was paid out just two weeks after the ransomware attack crippled CNA Financial’s networks.

The fact that the company decided to go ahead and pay is likely to get noticed as a setback when talking about cybersecurity threats and the right way to handle them as lawmakers and regulators are already unhappy with the fact that U.S. companies are making payouts to criminal hackers.

CNA decided to remain silent in regards to the type of information that got stolen but declared that

We do not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data — including policy terms and coverage limits — is stored, were impacted.


A CNA spokesperson said that the insurance firm will not be commenting regarding the ransom as CNA “followed all laws, regulations, and published guidance” while handling the cyberattack, and even consulted with the FBI and Office of Foreign Assets Control.

Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.
Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.