back to article American insurance giant CNA reportedly pays $40m to ransomware crooks

CNA Financial, the US insurance conglomerate, has apparently paid $40m to ransomware operators to gets its files back. In March the business revealed it had been hit by an extensive Phoenix Locker infection; this strain of malware was developed by Russian scam artists calling themselves Evil Corp, which may have links to …

  1. Phil O'Sophical Silver badge

    Financial companies who pay ransoms shoud have their license to operate revoked.

    1. LDS Silver badge
      Devil

      Time to write my own ransomware ant then retire...

      1. Efer Brick

        Definitely in the wrong game

    2. tip pc Silver badge

      Define Ransom?

      “As per contract the annual cost of licensing our product per core and per instance is increasing. Due to higher costs to ensure the integrity and security of our product we’ve had to increase the cost of our license.

      Speak to your account rep to discuss the changes and inevitable cost increases. “

      When your business is so reliant on a vendor your over a barrel when their costs inevitably go up.

      Same with these scammers that lock your data.

  2. myxiplx2

    Should be illegal

    So let me get this straight, an insurance company, who profit by selling ransomware insurance, just funded a ransomware cyber crime group to the tune of $40m.

    They're literally funding the criminal organisation, and then offering to sell insurance against that to our clients.

    Weren't the Mafia doing shit like this back in the day?

    1. Joe W Silver badge
      WTF?

      Re: Should be illegal

      Calm down, it's all OK, because "Phoenix is not on any prohibited party list and is not a sanctioned entity."

      And that makes them good business partners, I guess...

      Good grief, what a reasoning....

    2. TimMaher Silver badge
      Facepalm

      “Back in the day”

      I think the Mafia still are.

      They’re just not as good as the big insurers.

    3. Yet Another Anonymous coward Silver badge

      Re: Should be illegal

      Their an insurance company so presumably the gang demanded $80 M but they only paid half because the replacement value of the unique data was actually only what it would cost to buy a crappy Walmart version of the data

  3. Pascal Monett Silver badge
    FAIL

    $40m to the extortionists

    Unacceptable.

    If they have $40 million to throw away like that, they have the money to guarantee proper backup procedures and use them.

    If I were a shareholder to this bunch of clowns, I'd be screaming bloody murder at the CEO.

    1. Chris G Silver badge

      Re: $40m to the extortionists

      Why wouldn't they pay a handsome bonus to a crew that generates business for them?

      1. chivo243 Silver badge
        Pint

        Re: $40m to the extortionists

        Excellent reasoning! Give that commentard a cheroot!

      2. LDS Silver badge

        Re: $40m to the extortionists

        Only as long as they don't have to cough up too much payments to hit customers.

    2. Efer Brick

      Re: $40m to the extortionists

      They're insured. Whilst embarrassing, it's a small amount to CNA.

      But yeah, the'll not want it to happen again.

    3. ecofeco Silver badge

      Re: $40m to the extortionists

      This. All of this.

      $40 million to pay extortionists but not IT security? WTF?

  4. chivo243 Silver badge
    WTF?

    so, let me understand

    If the crims can encrypt the data, does that mean they can also have a peek? Would be very nice to find the folder containing which companies have Malware insurance, and which don't, and which companies are more or less secure, as I know these questions are asked before insuring any company...

    1. 0laf Silver badge
      Childcatcher

      Re: so, let me understand

      The public knowledge that a company/organisation has cyber insurance is already being flagged as a risk factor.

      If the bad guys know you have insurance you are much more likely to be a target simply because they know your insurance will likely pay them. And it'll all be kept quiet so there is unlikely to be a political motivation to make paying ransoms illegal.

  5. sanmigueelbeer Silver badge
    Coat

    an analysis of the ransomware code suggests it doesn't steal data for later ransom, but instead simply locks it

    And analysis will not have any clue if the crew exfiltrated anything before encrypting files. I know I would.

    1. Michael Wojcik Silver badge

      That's not generally the way it works. The attacking organization has a botnet probing for known vulnerabilities it can exploit to drop a ransomware package, which will then encrypt files and notify a C&C server. The humans only find out about it after a victim has been compromised. There aren't a bunch of pasty-faced yoots in hoodies hunched over keyboards manually encrypting a file at a time.

      Some ransomware includes exfiltration of data; some doesn't. A given crew might, at some point, upgrade their botnet to deliver a package that includes exfiltration capability, but while the money's still rolling in there's no great incentive to do so quickly.

      There are probably ransomware operators who still work manually, but the smart ones will be automating the process as much as possible. And aside from developing packages with novel capabilities, it can all be automated.

      That's one reason why outlawing payments won't stop ransomware attacks.

  6. FlamingDeath Silver badge
    Facepalm

    What are they insuring exactly?

    I'm not sure what it is they're insuring? Is it the ransom note?

    Ordinarily, insurance involves recitifcation. If I insure my car, and it gets stolen and never found, I get money to the market value of my stolen car, so I can buy another, hopefully. So its pretty clear in this example it is the car that is insured, not the thief, who stole it

    We live in a fucking weird world

    Am I the only one thinking this through in this way?

    1. FlamingDeath Silver badge

      Re: What are they insuring exactly?

      In which world do insurance companies pay thieves for the return of stolen property?

      We're not even talking about a ransom for a life

      They should stop calling them ransoms, and just call them stupidity taxes

      1. FlamingDeath Silver badge

        Re: What are they insuring exactly?

        I know the pedantic will say, it isnt stolen, but its the closest analogy I can come up with

        Restricted access is as good as stolen

      2. Yet Another Anonymous coward Silver badge

        Re: What are they insuring exactly?

        >In which world do insurance companies pay thieves for the return of stolen property?

        Ocean's Eight ?

  7. DrXym Silver badge

    Governments need to intervene here

    Paying ransomware should be illegal and company owners / board members who sanction it should receive a criminal conviction and possibly prison time.

    In addition governments need to start requiring their departments, contractors and other companies deemed critical to national interest (e.g. hospitals, prisons, chemical plants, refineries, power plants, banks, flood barriers etc.) to implement adequate prevention, detection, and recovery procedures to lessen the impact of attack. That would include things like hardened OS images, least privilege accounts, traffic analysis, segregated local networks, backups of important data, firewalls around servers and all that good stuff. It might be an effort to get there, but it's better than suffering an attack and having to do it any way.

    1. John Brown (no body) Silver badge

      Re: Governments need to intervene here

      "That would include things like hardened OS images, least privilege accounts, traffic analysis, segregated local networks, backups of important data, firewalls around servers and all that good stuff. It might be an effort to get there, but it's better than suffering an attack and having to do it any way."

      But, but, but, all that costs money NOW. As opposed some vague, nebulous hand-wavey possible future risk that "won't happen to us".

      Signed.

      The Accountant.

    2. Boris the Cockroach Silver badge
      FAIL

      Re: Governments need to intervene here

      Hah dream on

      All it takes is an attatchment to an email from a 'friend' and the luser ignoring the sign that says "ANYONE OPENING A EMAIL ATTACHMENT WILL BE DIPPED IN BURNING OIL BEFORE BEING SPRAYED WITH ACID THEN FED TO ARMY ANTS"

      And your 'secure' system is encrypted again

      Me? cynical? naww the voice of reason(and experience)

      1. sreynolds

        Re: Governments need to intervene here

        You suggesting that the tanks roll into Russia? That wasn't going to work in the 80s and still wont work today.

        Just out of curiosity, what's Putins cut from the take? I mean if they condone this conduct then there must be a cut that Puta Putin gets?

        1. jtaylor Bronze badge

          Re: Governments need to intervene here

          "Just out of curiosity, what's Putins cut from the take?"

          He doesn't need a share of the profits and may not want to be linked. Russia can offer a safe base of operation for any group that acts to weaken rivals and not against Russian interests. That's the quid pro quo.

    3. Michael Wojcik Silver badge

      Re: Governments need to intervene here

      That will not work.

      There's already a strong incentive not to pay: it costs money, it's risky, it's bad PR, it looks bad to investors. Yet companies pay anyway, because the alternative is worse for them.

      Executives can always find a proxy and construct plausible deniability for making payments. Prosecution would be very difficult, and prosecutors hate difficult prosecutions. (See Eisinger, The Chickenshit Club.)

      And (as I keep pointing out) even reducing payments by orders of magnitude won't eliminate ransomware attacks, because the cost of mounting those attacks is extremely low.

      Governments already promulgate all sorts of IT-security requirements. The Biden White House just issued a new batch. They haven't helped much yet, and there's no reason to believe they will in the foreseeable future.

  8. MiguelC Silver badge
    Holmes

    "Phoenix is not on any prohibited party list and is not a sanctioned entity."

    So there's the loophole the government must close, just put any known black hat crew on the entity list to stop payments being legal.

    1. Yet Another Anonymous coward Silver badge

      Re: "Phoenix is not on any prohibited party list and is not a sanctioned entity."

      But what if they are a new black hat ransomware gang that aren't affiliated with the official league of supervillains?

      1. Michael Wojcik Silver badge

        Re: "Phoenix is not on any prohibited party list and is not a sanctioned entity."

        Indeed. It's very difficult for a ransomware crew to change its name and ... oh, wait.

  9. fredesmite2

    THEY DIDN'T PAY A PENNY

    Their CUSTOMERS WILL PAY $40,000,000 THOUGH IN NEW PREMIUMS.

  10. beejay1324

    Best Practice doc should be created !

    Lets have the best practice doc printed in the companies house portal in the event of such incidents !! so that none henceforth has an excuse of not knowing what needs to be done in this regards

  11. Trigonoceps occipitalis Silver badge

    Cost of Doing Business

    It seems like ransom ware is becoming just another cost of doing business. The more reliable the crooks become, decrypting when paid and not further exploiting any information collected, the more acceptable the business case for paying.

    I don't like it but that may be the least worse way ahead. Just saying protect your IT is a bit like just say no, someone will always say yes.

    1. Yet Another Anonymous coward Silver badge

      Re: Cost of Doing Business

      But you don't see a certain conflict of interest in an insurance company, that will write profitable policies against ransomware attacks, paying a ransomware gang and so enabling and encouraging it to commit further acts?

      Rather like a house insurance company donating crowbars to the charming street urchins of the neighbourhood

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021