Commentary: CNA Financial Attack and How Firms Should Respond to Ransomware
CNA Financial’s USD 40 million payout highlights the importance of ransomware resilience
Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.
In the aftermath of the largest ransomware attack to date, the importance of building resilience to such incidents is crucial.
Damages from ransomware go beyond data loss and large monetary expenses, as attackers often threaten to publicize stolen data if they are not paid immediately. Ransomware should be treated as a large-scale data breach, and organizations need to prepare for this eventuality by having a strong defense and recovery plan in place.
The CNA Financial Ransomware Attack
CNA Financial (“CNA”), one of the largest insurance companies in the US, announced that it had been hit by a sophisticated and debilitating ransomware attack this past March. The Phoenix cyber criminal group attacked CNA using the ‘Phoenix Locker’ malware, a variation of the Hades ransomware created by the Russian group Evil Corp. Whilst CNA declared that it did not lose access to any sensitive client data, over 15,000 company devices were encrypted and corporate networks were disrupted, forcing CNA to temporarily shut down its services.
CNA worked with private sector companies and US government agencies to secure its systems and contain the malware. To end the attack, CNA paid the attackers USD 40 million in Bitcoin – the largest recorded ransom payment ever – despite FBI guidelines discouraging companies from paying ransom demands, as payment strengthens attackers’ capabilities and increases the effectiveness of such attacks in the future.
The CNA Financial attack occurred within weeks of another ransomware incident hitting oil transportation company Colonial Pipeline, which paid USD 4.4 million to stop the attack and release its data. These cases are not isolated, and they serve as high-visibility examples of a pervasive ransomware problem that affects organizations of all sizes across the globe.
The Growing Incidence of Ransomware Attacks
According to reports from Bitdefender, 2020 saw a 485% increase in ransomware attacks compared to 2019, with a ransomware attack occurring every 11 seconds. In 2020, the average ransom request increased by over 170% from USD 115,123 to USD 312,493 according to Palo Alto Networks.
Ransomware attacks typically target confidential or essential user data. After the malware penetrates the system, the targeted data is encrypted and made inaccessible to the user or organization. The attacker then requests the victim to pay a fee in order to receive a decryption key that can be used to unlock their data and avoid permanent loss or publication on the Internet.
These attacks are highly compromising for organizations, not only for the data loss and reputational damage but because of the human emotions they leverage. Ransomware attacks often instill a sense of urgency, fear, and doubt that force people and companies to pay out large sums in the hope of recovering their data.
How to Respond to Ransomware
When an organization suffers a ransomware attack, the first call should be to your incident response team. Like medical first responders, trained incident response specialists are responsible for mitigating the effects of an incident in a timely and organized manner, including analyzing the intrusion, containing the impact, investigating the root cause, and remediating the issue with maximum efficiency and minimal business interruption.
At Blackpanda, our experienced team of ransomware professionals guide organizations through the process of dealing with a ransomware attack, helping to minimize losses, recover encrypted data, as well as negotiate and facilitate ransom payment.
In the event of a ransomware attack, your incident response specialists should conduct the following activities:
1. Containment & Loss Mitigation
Upon being notified of the incident, your IR team should immediately respond by quarantining and containing the ransomware, recovering as much data and digital assets as possible, and conducting digital forensics to attempt reverse engineering the malware and identify the attackers. Experienced ransomware specialists may also be able to identify and retrieve decryption keys from known ransomware databases to unlock data without resorting to paying the attackers.
Timely response is critical in the first hours of a ransomware attack, which is why Blackpanda recommends IR planning and all response terms be agreed upon prior to an incident. Such agreements are often best delivered either as part of a comprehensive cyber Insurance policy (or through a pre-paid IR retainer for those that do not qualify for insurance). At a bare minimum, companies should at least have an IR firm like Blackpanda on a Zero-Cost Retainer.
2. Ransomware Negotiation
If the IR team is unable to independently decrypt the data, they can help organizations facilitate the ransomware negotiation process given their understanding of different ransomware tools and techniques, the actors and motives behind an attack, as well as the competencies of the attackers. Negotiation efforts serve to achieve improved outcomes and provide the time and intelligence necessary for organizational leadership to make informed decisions.
Last year, 17% of ransom payers did not receive a working key to unlock encrypted data (Kaspersky, 2020). As such, a crucial part of the IR team’s work is also to assess the authenticity of decryption keys provided by the attackers through verified “proof of life” exercises.
3. Ransom Payment & Facilitation
Once the negotiation has come to an accord, the IR team guides the organization through the payment of the ransom (if required and legal), ensuring that all transactions are fully verified, transparent, secure, and auditable.
Organizations should also be aware that on 1st October 2020, the US Department of Treasury’s Office of Foreign Assets Control (OFAC) issued a globally enforceable advisory regarding ransom payments to sanctioned entities, with associated penalties of up to USD 1 million and 20 years in prison. Blackpanda fully supports an organization’s due diligence efforts throughout the decision-making process, working closely with international law enforcement partners such as the US Secret Service to identify threat actors and sanctioned-entity status.
4. Eradication & Recovery
Once the correct decryption key has been provided, your IR specialists will help decrypt all data, restore system health, and ensure that the malware and its root cause are fully eradicated. Your IR team should also maintain thorough documentation of the incident in compliance with insurance and other regulatory requirements (such as MAS Reporting Requirements), which can be a complicated and time-consuming process for organizations to conduct independently.
How to Prevent Ransomware and Mitigate Loss
The CNA Financial case is a haunting warning among many that ransomware attackers are becoming increasingly sophisticated—even the largest organizations with the most advanced preventive systems remain vulnerable to ransomware attacks.
While ransomware prevention can never completely eliminate the risk of falling victim to such attacks, it is crucial that organizations implement preventive best practices to minimize ransomware risk and mitigate potential loss.
1. Endpoint Detection & Response
Having an industry-standard endpoint detection and response (EDR) solution in place is essential. It can protect your system from known viruses and alert users when malware is detected attempting to enter the system. Traditional signature-based antivirus tools focus on blocking malware signatures from a predefined list of threats, leaving users vulnerable to new or mutated malware. Blackpanda recommends organizations invest in next-generation behavior-based EDR solutions (like SentinelOne) which use artificial intelligence to identify and alert users to suspicious and malicious behaviors.
2. Secured Data Backups
If EDR tools are like cyber-sentries, encrypted backups are like cyber-vaults. Avoid losing important data to a ransomware attack by keeping regularly updated and encrypted backups, both offline and with security-protected cloud offerings (such as Acronis). Data backups allow organizations to fully recover from a ransomware incident as well as provide greater leverage in ransom negotiations.
Knowing the precise location of all sensitive data is also crucial to limit exposure to attacks and minimize business interruption. Access to such data should be protected by multi-factor authentication (MFA), and the principle of least privilege should be strictly adhered to.
3. IR Planning, Retained Response, & Cyber Insurance
Given that even the most secure network is vulnerable to cyberattacks, having an incident response team and plan in place is essential. The most cost-efficient vehicle for retaining IR services is through a cyber insurance policy—at a mere fraction of the price of a traditional retainer.
Comprehensive cyber insurance providers such as Pandamatics Underwriting offer coverage up to USD 5 million, inclusive of all incident response fees, legal and public relations support, as well as discounted rates on next-generation EDR, encrypted backup solutions, and other pre-breach consulting services and technologies.
The CNA Financial and Colonial Pipeline ransomware attacks highlight the potential catastrophic disruptions such attacks can have on both individual organisations and the greater economy. With the increased frequency of ransomware across the world, ensuring effective response and recovery protocol is necessary for organisations to both protect their data and avoid large payouts.
On top of the hardening of systems security, knowing who to go to when an attack occurs is essential. Expert IR teams can aid organisations through the process of preparation and ransomware eradication through containment, negotiation with attackers, ransom payment guidance, and recovery support. Obtaining comprehensive cyber insurance will also help mitigate the impact of ransomware on organisations, covering financial loss and any costs incurred to contain and eradicate the threat.
Interested in speaking to a DFIR specialist?