CNA legal filings lift the curtain on a Phoenix CryptoLocker ransomware attack

CNA legal filings lift the curtain on a Phoenix CryptoLocker ransomware attack

Two months after fully restoring its systems, CNA Financial, the leading US insurance company that was attacked by a group using Phoenix CryptoLocker ransomware, issued a legal notice of an information security incident to the Consumer Protection Bureau in New Hampshire.

You may recall that Phoenix CryptoLocker—or simply Phoenix—is a ransomware family that is believed to be linked to the criminal group Evil Corp. CNA’s network was compromised in March 2021. This notice has given every reader an insight into how the attack happened, what CNA did, and what they continue to do for those whose data was affected by this ransomware-attack-slash-data-breach.

Phoenix posed as a browser update

According to CNA, one of its employees was able to download and execute a fake browser update after visiting a legitimate website. The notice didn’t specify if this legitimate website is the official website of the browser this employee is using. The employee not having elevated privileges didn’t stop the threat actors from following through with the attack. Instead, they used “additional malicious activity” to get credentials they need to move forward. Attackers often use privilege escalation exploits to increase their access rights, or tools like Mimikatz that can extract passwords from a computer’s memory.

“With elevated privileges, the Threat Actor moved laterally within the environment to conduct reconnaissance and establish persistence onto certain systems within the environment. Between March 5 and March 20, 2021, the threat actor conducted reconnaissance within CNA’s IT environment using legitimate tools and legitimate credentials to avoid detection and to establish persistence,” the company revealed.

Using legitimate administration tools and accounts in this way to explore a network and spread malware is know as “living off the land”. It allows attackers to keep a low profile as they go about their business because their activity doesn’t look out of place and their tools often aren’t detected by security software by default.

At least 15,000 systems, including devices connected to CNA’s network via VPN, were instantly affected after the threat actors detonated the ransomware.

Data stolen but untouched

CNA Prior to executing Phoenix, the threat actors were able to steal important and sensitive information affecting 75,349 individuals. A significant number of them were names of current and former employees plus their dependents and their Social Security Numbers (SSNs). On the other hand, a small number of those affected had their birth dates, benefit enrolment, and medical information.

As to how these were stolen, the threat actors “copied, compressed and staged unstructured data obtained from file shares found on three CNA virtual servers; and used MEGAsync, a legitimate tool, to copy some of the unstructured data (“Exported Data”) from the CNA environment directly into the threat actor’s cloud-based account (the “Mega Account”) hosted by Mega NZ Limited (“Mega”).”

According to CNA’s notice, it was able to work with the FBI and the “Cloud-Storage Platform” (presumably this means Mega) to “take control of the account and quickly recover CNA’s data”. CNA believes that the data was held so that the attackers could threaten to leak it, a common tactic in modern ransomware attacks. The company reports that its forensic experts could find no evidence that the data was “viewed or otherwise shared”; therefore, it was never accessed by the threat actors themselves to either be sold, traded, or used for other nefarious purposes.

Recovering from ransomware

This information coming to light two months after the attack shows that recovering from ransomware is rarely quick and easy. Aside from the obvious technical problems that have to be overcome to get a business working again, the root causes must be discovered and addressed, and there may be legal and regulatory hurdles to overcome.

In a recent episode of our Lock and Code podcast, host David Ruiz spoke to Ski Kacoroski—a system administrator with the Northshore School District in Washington state—about the immediate reaction, the planned response, and the long road to recovery from a ransomware attack. You can listen to it below, or on Apple PodcastsSpotify, and Google Podcasts.