Full Report
CNA Financial customers are feeling the ripple effects of a ransomware attack that occurred earlier this year.
Analysis Summary
# Incident Report: CNA Financial Pheonix Locker Ransomware Attack
## Executive Summary
In March 2021, CNA Financial was infiltrated by the Pheonix Locker Ransomware, deployed by the Russian cybercriminal group Evil Corp, likely as a means to circumvent U.S. sanctions. The attackers successfully exfiltrated sensitive customer data before deploying the ransomware. CNA Financial notified 75,349 customers and stated that while customer names and SSNs were accessed, the data was recovered before misuse could occur.
## Incident Details
- Discovery Date: Not explicitly stated, but investigation confirmed activity occurred between March 5 and March 21, 2021.
- Incident Date: Occurred between March 5, 2021, and March 21, 2021.
- Affected Organization: CNA Financial
- Sector: Financial Services/Insurance
- Geography: Chicago, Illinois, United States (Organization Headquarters)
## Timeline of Events
### Initial Access
- Date/Time: On or shortly before March 5, 2021.
- Vector: Not explicitly detailed, but the attack was executed by Evil Corp.
- Details: The threat actor gained access to certain CNA systems.
### Lateral Movement
- Date/Time: Between March 5, 2021, and March 21, 2021.
- Details: Unknown extent of movement, but system access was maintained across this period for data exfiltration.
### Data Exfiltration/Impact
- Date/Time: Prior to ransomware deployment (March 2021).
- Details: The threat actor exfiltrated a limited amount of sensitive customer information, including customer names and social security numbers, before deploying the Pheonix Locker Ransomware.
### Detection & Response
- Date/Time: After March 21, 2021 (Investigation began).
- Details: CNA Financial conducted an investigation, determined the scope of the breach, and notified 75,349 impacted customers. The primary focus of the response was the recovery of the exfiltrated data.
## Attack Methodology
- Initial Access: Unspecified initial access method used by Evil Corp (likely exploiting a previously unknown vulnerability or weak credential).
- Persistence: Access maintained from March 5 to March 21, 2021.
- Privilege Escalation: Not detailed.
- Defense Evasion: Evil Corp masked their activity behind the use of the Pheonix Locker Ransomware, potentially as a diversification tactic to evade existing U.S. sanctions against the group.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Threat actor accessed "certain CNA systems."
- Collection: Customer names and Social Security Numbers (SSNs) were copied.
- Exfiltration: Sensitive customer data was exfiltrated prior to the ransomware deployment.
- Impact: Deployment of Pheonix Locker Ransomware.
## Impact Assessment
- Financial: Not quantified in the source material, but costs related to investigation, customer notification, and remediation are implied.
- Data Breach: Customer names and Social Security Numbers (SSNs) of 75,349 individuals were accessed/copied. CNA stated the data was recovered before misuse.
- Operational: Implied operational disruption due to ransomware deployment, though not explicitly detailed.
- Reputational: Public notification was required, resulting in reputational exposure related to the significant data exposure.
## Indicators of Compromise
*Note: No specific IOCs (IP addresses, domains, file hashes) were provided in the source text.*
- Network indicators: None provided.
- File indicators: Use of **Pheonix Locker Ransomware**.
- Behavioral indicators: Threat actor exhibiting characteristics associated with **Evil Corp**.
## Response Actions
- Containment: Not detailed, but implied by stopping the network access after March 21, 2021.
- Eradication: Not detailed, but focus was placed on ensuring the exfiltrated data was recovered.
- Recovery: CNA Financial confirmed they were able to quickly recover the exfiltrated personal information and found no indication it was viewed, retained, or shared.
## Lessons Learned
- Ransomware groups (like Evil Corp) are actively evolving their tools (Pheonix Locker) and tradecraft to evade regulatory pressures (U.S. Sanctions).
- Data exfiltration often precedes encryption in modern ransomware campaigns, significantly increasing the breach severity even if encryption is mitigated.
## Recommendations
- Financial institutions must segment critical environments and bolster security around sensitive customer data stores, especially in the context of known, well-resourced threat actors (like Evil Corp) targeting the sector.
- Review and strengthen defenses specific to ransomware strains observed in the threat landscape (Pheonix Locker).