Full Report
CNA Financial customers are feeling the ripple effects of a ransomware attack that occurred earlier this year.
Analysis Summary
# Incident Report: CNA Financial Pheonix Locker Ransomware Attack
## Executive Summary
CNA Financial was compromised by a ransomware attack in March 2021, allegedly executed by the criminal group Evil Corp utilizing the Pheonix Locker ransomware. The threat actor gained access to systems between March 5th and March 21st, exfiltrating a limited amount of customer data, including names and social security numbers, before deploying the ransomware. CNA managed to recover the affected data, asserting it was not misused, and subsequently notified over 75,000 impacted customers.
## Incident Details
- **Discovery Date:** Not explicitly stated, but activity occurred between March 5, 2021, and March 21, 2021.
- **Incident Date:** March 2021 (Deployment of ransomware).
- **Affected Organization:** CNA Financial
- **Sector:** Financial Services/Insurance
- **Geography:** United States (Headquartered in Chicago, Illinois)
## Timeline of Events
### Initial Access
- **Date/Time:** On or before March 5, 2021
- **Vector:** Unknown (Implied initial compromise leading to sustained access)
- **Details:** The threat actor accessed CNA systems starting around March 5, 2021.
### Lateral Movement
- **Date/Time:** March 5, 2021, to March 21, 2021
- **Vector:** Internal system traversal (Implied by the extended access period and exfiltration).
- **Details:** The threat actor maintained access and moved across various CNA systems over a period of roughly two weeks.
### Data Exfiltration/Impact
- **Date/Time:** Prior to/during the ransomware deployment (March 2021)
- **Vector:** Data Exfiltration
- **Details:** A "limited amount of information," including customer names and social security numbers, was copied before the ransomware (Pheonix Locker) was deployed.
### Detection & Response
- **Date/Time:** Detection occurred after initial access/during or immediately after ransomware deployment in March 2021.
- **Vector:** Internal detection (Implied), followed by external notification.
- **Details:** CNA investigated the incident, recovered the exfiltrated data, and began notifying the 75,349 impacted customers.
## Attack Methodology
- **Initial Access:** Unknown / Initial Compromise.
- **Persistence:** Maintained access between March 5 and March 21, 2021.
- **Privilege Escalation:** Not specified, but necessary to access customer data.
- **Defense Evasion:** The use of **Pheonix Locker** suggests an attempt by Evil Corp to diversify their approach to evade existing sanctions monitoring (OFAC sanctions against Evil Corp).
- **Credential Access:** Implied, necessary to access "certain CNA systems" and copy customer data.
- **Discovery:** Implied, to locate sensitive customer information.
- **Lateral Movement:** Infiltration across "certain CNA systems."
- **Collection:** Copying of customer names and social security numbers.
- **Exfiltration:** Exfiltration of sensitive customer data prior to encryption.
- **Impact:** Deployment of **Pheonix Locker Ransomware**.
## Impact Assessment
- **Financial:** Not detailed, but the incident involved a ransomware negotiation context (though negotiation details weren't specified).
- **Data Breach:** Affected 75,349 customers. Data compromised included **customer names and social security numbers (SSNs)**.
- **Operational:** Deployment of ransomware indicates operational disruption, though the scope of system downtime is not specified.
- **Reputational:** Customers were impacted and notified of the breach, resulting in reputational consequences for CNA.
## Indicators of Compromise
*Note: No specific technical IoCs (IPs/URLs/Hashes) were provided in the text; the focus is on TTPs.*
- **Network indicators:** None specified (defanged).
- **File indicators:** Pheonix Locker Ransomware usage.
- **Behavioral indicators:** Lateral movement across systems over a 16-day period (March 5–21, 2021) followed by ransomware deployment. Association with threat group Evil Corp.
## Response Actions
- **Containment measures:** Implied stop of the ransomware deployment and access restoration.
- **Eradication steps:** Implied removal of the threat actor and malware post-incident.
- **Recovery actions:** CNA asserted they "were able to quickly recover that information" related to the exfiltrated data. Notification process for 75,349 customers was executed.
## Lessons Learned
- **Key Takeaways:** Prolonged threat actor presence (16 days) allowed for stages of compromise, including data theft before encryption.
- **What could have been done better:** Improved detection capabilities to identify and stop the threat actor during the initial/lateral movement phases before data exfiltration occurred. Data security controls needed to prevent SSN collection.
## Recommendations
- Financial institutions must immediately bolster sensitive resource security posture to defend against sophisticated, well-resourced threat actors like Evil Corp.
- Review and enhance network segmentation and monitoring to drastically reduce the dwell time between initial access and detection.