.png)
CNA Financial Ransomware 2021: $40 Million, The Largest Known Ransomware Payment
Breach Summary
The CNA Financial ransomware attack of March 2021 resulted in the largest known ransomware payment in history — $40 million paid to the Evil Corp-affiliated Phoenix ransomware group — and raised significant concern because CNA is itself a major cyber insurance underwriter, meaning the company that helps other organizations manage cyber risk had paid an unprecedented ransom to resolve its own attack.
What Happened
CNA discovered the attack on March 21, 2021 and disconnected systems globally. The attack disrupted CNA's customer portal, email, and underwriting systems for approximately two weeks. CNA paid the $40 million ransom on May 11, 2021, after two weeks of negotiation. Bloomberg reported the payment amount in May 2021; CNA declined to confirm the figure publicly. The FBI and OFAC investigated. CNA subsequently notified 75,000 individuals whose data was compromised.
Attack Vector Detail
Attackers gained initial access through a fraudulent browser update that an employee downloaded. The payload installed an Evil Corp-affiliated Phoenix ransomware precursor that conducted reconnaissance over several weeks before deploying ransomware. CNA's systems were encrypted and approximately 75,000 individuals' data was exfiltrated before the encryption payload was deployed. CNA negotiated the ransom down from an initial demand of $60 million before paying $40 million in Bitcoin two weeks after the attack.
Breach Pattern Timeline
March 21, 2021
CNA Financial — one of the largest U.S. commercial insurance carriers — detects 'sophisticated cybersecurity attack' on its corporate network. Activates incident response.
March 21-23, 2021
Phoenix Locker ransomware (variant of Hades, attributed to Evil Corp) deploys across CNA's network. CNA takes systems offline including websites, email, customer portals, and policy administration.
March 26, 2021
CNA publicly confirms ransomware attack. Customers report inability to file claims, access policy documents, or contact CNA representatives.
April-May 2021
CNA negotiates with Evil Corp affiliates. Initial demand reportedly $60M; negotiated down.
May 2021
Bloomberg reports CNA paid $40 million in Bitcoin ransom — at the time, the largest publicly known ransomware payment in U.S. history. Payment notable because Evil Corp had been sanctioned by U.S. Treasury OFAC since 2019, raising legal questions about U.S. companies paying sanctioned entities.
June 2021
OFAC issues advisory updating its 2020 ransomware sanctions guidance, signaling stricter enforcement of payments to sanctioned ransomware groups going forward.
July 2021
CNA confirms data exfiltration of customer and employee personal information. Begins notifications to ~75,000 affected individuals.
2022-2024
CNA class action consolidated in federal court. Insurance industry adopts more rigorous cybersecurity underwriting standards directly attributable to CNA precedent. CNA becomes foundational case for OFAC-sanctioned-entity ransomware payment risk.
Total impact: ~75,000 individuals affected, $40M ransom paid (largest publicly disclosed in U.S. at time), foundational precedent for OFAC-sanctioned-entity ransomware payment legal risk and insurance carrier cyber underwriting standards.
Executive Lessons
CNA Financial established that large financial institutions will pay nine-figure ransoms to recover from ransomware if the operational disruption is severe enough. The $40 million payment — the largest known ransomware payment at the time — reflected the business impact of an insurer being unable to underwrite or service policies. It also established that cyber insurers are themselves ransomware targets, creating a specific conflict of interest between insurers' financial interests in avoiding payments and their operational need to restore their own systems.
Related Reading
Private Equity Implications
The CNA breach demonstrated that OFAC sanctions compliance is an incident response requirement, not only a normal business requirement. PE sponsors should ensure portfolio companies' incident response plans include ransomware payment legal review and OFAC sanctions screening as explicit pre-payment steps, and that legal counsel with sanctions expertise is on retainer for rapid engagement during incidents.
How Cloudskope Can Help
Frequently Asked Questions
What was the CNA Financial ransomware attack of 2021?
In March 2021, CNA Financial Corporation — one of the largest commercial insurers in the United States — was hit by ransomware deployed by the Phoenix CryptoLocker group. CNA reportedly paid approximately $40 million in ransom, making it at the time one of the largest publicly disclosed ransomware payments. The attack disrupted CNA operations for weeks and affected policyholder services.
Who attacked CNA Financial?
Phoenix CryptoLocker — believed to be operated by the Evil Corp Russian cybercrime group under a rebrand following U.S. Treasury sanctions against the group — was responsible for the attack. Evil Corp's sanctioning created legal complications for U.S. companies considering ransom payments, contributing to the strategic significance of the CNA case.
How much did CNA pay?
CNA reportedly paid approximately $40 million in ransom to the attackers. The payment was reported by Bloomberg and confirmed indirectly through subsequent communications. The size of the payment made it a foundational case study in ransom economics and the regulatory implications of paying sanctioned threat actors.
What was the OFAC sanctions issue?
U.S. Treasury Office of Foreign Assets Control (OFAC) had sanctioned Evil Corp in 2019. Payments to sanctioned entities can constitute U.S. sanctions violations regardless of intent. The CNA payment created public discussion of whether companies paying ransoms to sanctioned threat actors face OFAC enforcement risk. OFAC subsequently published guidance on ransomware payment compliance.
What did CNA establish for insurance industry security?
The CNA attack reinforced that the insurance industry — particularly cyber insurance underwriters — is a strategic target for ransomware groups seeking both ransom payment and customer policy intelligence. For insurance executives, the implication is that operational continuity, data protection, and OFAC compliance frameworks must address ransomware scenarios as a primary risk category.