Printed from

CNA paid $40 million cyber ransom, Bloomberg reports

Posted On: May. 20, 2021 4:54 PM CST


CNA Financial Corp. declined to comment late Thursday on a Bloomberg report that it paid $40 million to hackers to regain control of its systems after it suffered a ransomware attack in March.

Citing “people with knowledge of the attack,” the newswire said CNA initially ignored the hacker's demand for a $60 million ransom but started negotiations within a week.

CNA declined to say whether it paid a ransom but noted that the group that carried out the attack was not on the U.S. Treasury’s Office of Foreign Assets Control’s list of sanctioned entities that it was prohibited from dealing with.

In a statement, the insurer said: “CNA is not commenting on the ransom, but the company did consult and share intelligence with the FBI and OFAC regarding the cyber incident and the threat actor’s identity. CNA followed all laws, regulations and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter. Due diligence efforts concluded that the threat actor responsible for the attack is a group called Phoenix. Phoenix is not on any prohibited party list and is not a sanctioned entity.”

The last October OFAC issued guidance to companies about facilitating ransomware payments.

Among other things, the guidance states: “U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).”

CNA disconnected its systems in late March after disclosing that it was the subject of a cyberattack. Its corporate website remained down for two weeks.