Leading US insurance company CNA Financial has provided a glimpse into how Phoenix CryptoLocker operators breached its network, stole data and deployed ransomware payloads in a ransomware attack that hit its network in March 2021. Two months ago, on May 13, CNA said it began operating “in a fully restored state” after restoring the systems impacted in the attack. As revealed in a legal notice filed earlier this month, CNA discovered the exact timeline of the ransomware attack following an investigation conducted with the help of third-party security experts hired immediately after discovering the incident. As revealed by the US insurer, the attackers first breached an employee’s workstation on March 5 using a fake and malicious browser update delivered via a legitimate website. The ransomware operator obtained elevated privileges on the system via “additional malicious activity” and then moved laterally through CNA’s network, breaching and establishing persistence on more devices. “Between March 5 and March 20, 2021, the threat actors conducted reconnaissance within CNA’s IT environment using legitimate tools and credentials to avoid detection and to establish persistence,” the legal notice filed with New Hampshire’s Attorney General Office reveals. “On March 20 and into March 21, 2021, the Threat Actor disabled monitoring and security tools; destroyed and disabled certain CNA back-ups; and deployed ransomware onto certain systems within the environment, leading CNA to proactively disconnect systems globally as an immediate containment measure. “Sources familiar with the attack told reporters that the Phoenix CryptoLocker encrypted more than 15,000 systems after deploying ransomware payloads on CNA’s network on March 21. Reporters also learned that the ransomware operators encrypted remote workers’ devices logged into the company’s VPN during the attack “Before deploying the ransomware, the Threat Actor copied, compressed and staged unstructured data obtained from file shares found on three CNA virtual servers; and used MEGAsync, a legitimate tool, to copy some of that unstructured data from the CNA environment directly into the threat actor’s cloud-based account hosted by Mega NZ Limited,” the company added. As CNA further discovered, the stolen files included sensitive info (names, Social Security numbers, dates of birth, benefits enrollment, and/or medical information) belonging to employees, former employees, and their dependents, and, in roughly 10% of cases, customers. The investigation also found that the attackers only exfiltrated data to the MEGAsync account seized with the help of the FBI and Mega. Based on info provided by the cloud storage platform, the stolen CNA data was not shared outside the attackers’ Mega account. Considering the results of the ransomware attack investigation, CNA says that “there is no evidence that the threat actor viewed, retained or shared the exported data and, thus, no risk of harm to individuals arising from the incident.” Despite this conclusion, CNA still decided to notify impacted individuals earlier this month of a potential data breach. According to breach information filed by CNA with the office of Maine’s Attorney General, this data breach affected 75,349 individuals.
Even though CNA reported that the ransomware group did not share the financial and personal data that it obtained, all individuals affected are recommended to check their financial information for unusual activity. It would also be recommended to obtain a monitoring service that can monitor for identity theft activity and consider a credit freeze. Companies and non-profit organizations that handle sensitive personal data of employees or customers should review the report about this ransomware attack and assess their organization’s ability to detect these patterns of attacker behavior. Because many computer intrusions that lead to ransomware use similar tactics and techniques, it is possible to learn from incidents at other companies and improve defenses. For example, it is useful to note that the intrusion started from an employee action on a workstation, which means it is important to educate employees about their role in security, and to have 24/7 monitoring of security events that occur on employee workstations. The report also mentions that the attacker used built-in system tools to advance the intrusion and move throughout the network, which means it is important for organizations to not just have anti-virus that detects known malicious files, but also use Endpoint Detection and Response (EDR) software to detect anomalous and potentially harmful behavior from approved software and system tools. Early detection and quick response by security personnel can be the difference between a disruptive data breach and a minor security incident.