Cyber Incident Victim: CNA Financial
Date:
Mar 2021
Location:
United States of America
Summary
CNA Financial experienced a ransomware attack involving the Phoenix CryptoLocker variant, potentially linked to the sanctioned Evil Corp group, which encrypted over 15,000 devices including remote systems connected via VPN. The incident caused significant network disruption, impacted corporate email, and likely involved data exfiltration—a common tactic in such attacks. While the company restored operations from backups, the targeting of a major cyberinsurance provider raises concerns about threat actors leveraging stolen policy information to identify lucrative future victims. The attackers appended encrypted files with a .phoenix extension and deployed ransom notes, though no confirmed nexus to Evil Corp was established by the victim.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 21, 2021, CNA Financial detected a sophisticated cyberattack that disrupted its network operations and corporate email systems. The incident involved the deployment of a previously unseen ransomware variant identified as Phoenix CryptoLocker, which encrypted files across more than 15,000 devices on CNA's network. The ransomware affected both on-premises systems and remote employee computers connected through the company's VPN during the attack. Forensic analysis revealed the malware appended the ".phoenix" extension to encrypted files and generated ransom notes titled "PHOENIX-HELP.txt." CNA promptly issued public confirmation of the attack following initial media reports, acknowledging significant operational impacts but providing no immediate details about data compromise. Internal sources indicated the organization planned to restore affected systems from backups, though the company did not formally confirm this recovery strategy. The remote encryption of VPN-connected devices demonstrated the ransomware's ability to propagate beyond corporate network boundaries.
Security researchers identified potential connections between Phoenix CryptoLocker and the sanctioned Evil Corp cybercrime group based on code similarities with their previous ransomware families. Evil Corp had historically deployed WastedLocker before rebranding operations as Hades ransomware following U.S. government sanctions in 2019. While CrowdStrike assessments suggested Phoenix represented another evolutionary variant from this threat actor, CNA maintained there was no confirmed nexus to Evil Corp. The attack's targeting of a major cyberinsurance provider raised concerns about secondary risks to policyholder organizations, as threat actors could exploit stolen insurance policy data to identify lucrative future targets. Although investigators had not verified data exfiltration at the time of reporting, the prevalence of double-extortion tactics among ransomware groups made unauthorized data access a probable component of the intrusion. The incident highlighted systemic vulnerabilities in insurer networks that manage sensitive client cybersecurity profiles.