CNA Financial customers are feeling the ripple effects of a ransomware attack that occurred earlier this year.
In March, CNA Financial was infiltrated by the Pheonix Locker Ransomware which is believed to be a new type of ransomware from Russian cybercriminals Evil Corp. Before deploying the ransomware, Evil Corp exfiltrated sensitive customer data.
CNA Financial sent a message to all 75,349 impacted customers to notify them of the breach.
“The investigation [of the ransomware attack] revealed that the threat actor accessed certain CNA systems at various times from March 5, 2021, to Match 21,2021. During this time period, the threat actor copied a limited amount of information before deploying the ransomware.” CNA Financial said in its breach statement.
Investigation findings also revealed that the cybercriminals accessed customer names and social security numbers. But CNA Financial assures the personal information was completely recovered before the cyberattacks had a chance to abuse it.
“...CNA was able to quickly recover that information and there was no indication that the data was viewed, retained, or shared. Therefore, we have no reason to suspect your information has or will be misused.”
This new family of ransomware may be Evil Corp’ attempt to diversify its identity to evade U.S sanctions. Since 2019, the United States Office of Foreign Assets Control (OFAC) has been on the hunt for Evil Corp and all of its subsidiaries. To sever all sources of funding to the criminal group, the OFAC prohibits ransomware negotiation firms from facilitating ransom payments to Evil Corp.
The sanctions appear to be working because Evil Corp is getting desperate. Recently, the threat actors attempted to mask its ransomware activity behind the ransomware PayLoadBin.
Prior to that, the group assumed the name Gracewire for its trojan after returning from a brief hiatus to protect its leader from capture.
In 2019, the United States Government issued a $5 million reward for any information that could lead to the capture of Evil Corp boss Maksim Viktorovich Yakubets.
Even after Maksim’s capture, the financial sector will remain a prime target amongst cyberattackers. To defend against present and future threats, financial institutions need to immediately bolster their sensitive resources.