In March 2021, CNA Financial Corp., one of the country’s largest insurance companies, suffered a ransomware attack from a cybercriminal group called Phoenix.
The attackers pressured the insurer to pay up quickly by raising the ransom demand, claiming the data they had was critical, and promising they would help restore everything if the company paid up.
(1) Small lapses in security led to major breaches
(2) Some companies lacked clear initial points of contact with the federal government.
The hackers originally informed the insurer that the ransom was “999 bitcoins,” or about $55 million. The criminals later upped the price, stating, “Wasting time. The cost went up, 1099 BTC.”
The attackers warned the insurer that the CNA data they had was important. “It will hit hard if leaked,” they wrote. The attackers also told CNA that they would not publish anything or talk to the press about the incident if the company paid the ransom.
CNA reportedly paid a ransom of $40 million in Bitcoin.
The ransomware attack on CNA was among the major attacks reported in 2021. Two others were:
- In May 2021, Colonial Pipeline Co., operators of the pipeline that provides nearly half of the East Coast’s fuel supply, paid DarkSide, a ransomware gang believed to operate out of Russia, $4.4 million in Bitcoin (later recovered).
- In June 2021, JBS Foods USA, which owns plants that process one-fifth of the country’s meat supply, paid a ransom of $11 million in Bitcoin after it suffered a ransomware attack, which the Federal Bureau of Investigation attributed to the criminal ransomware gang REvil (also known as Sodinokibi).
Colonial and JBS, like CNA, also had to deal with cybercriminals who kept raising the ransom price to pressure them to promptly pay millions of dollars for decryption tools and return of their data.
In each case, the criminals’ strategies included assurances that payment of the ransom would fix the situation, lead to the return of their data, and avoid negative publicity for the company. They promised they would provide decryption keys and delete their copies of the stolen data after the ransom was paid.
How exactly companies were placed under pressure to quickly pay the ransom is one of the key lessons from a Congressional inquiry by the House Committee on Oversight and Reform into multimillion dollar ransomware attacks. The investigation examined how attackers infect companies’ systems and convince companies to pay millions of dollars for uncertain decryption tools and data return. It also examined how companies attempt to restore compromised systems after the ransom had been paid.
While the committee learned how the crimes unfolded in these cases, it also called for further examination of the factors encouraging ransom payments, “including the role of cyber insurance and the costs companies can face even after paying a ransom, especially when the cybercriminals fail to deliver on their promises.”
A Nov. 16, 2021 memorandum on the investigation from the House Committee on Oversight and Reform identified two other key lessons from the inquiry: small lapses in security led to major breaches and some companies lacked clear initial points of contact with the federal government.
The committee said neither the FBI nor the Department of Justice raised any concerns about the committee releasing the information in its memo.
In all three costly attacks, the cybercriminals appear to have exploited “small failures” in security systems. In the case of Colonial, the attack started with a single stolen password for an old user profile. In the case of JBS, the failure was an old network administrator account that had not been deactivated and had a weak password. CNA’s attackers convinced a single employee to accept a fake web browser update from a commercial website.
Ransomware can move rapidly to cripple IT systems and the attack may not be detected right away. It took CNA two weeks to discover it had been hacked.
“Even large organizations with seemingly robust security systems fell victim to simple initial attacks, highlighting the need to increase security education and take other security measures prior to an attack,” the committee memo states.
The committee’s investigation revealed that reporting an attack to the government can be a logistical challenge for companies’ and may differ based on the company’s industry. Each of the three companies notified a variety of different federal agencies including law enforcement and faced delays in responses. Colonial contacted at least seven federal agencies or offices. CNA was initially referred to one FBI field office and then referred to another. An email from a JBS official to an FBI field office was passed around to different agents resulting in a several-hours delay in an FBI response. The Treasury Department answered one firm’s questions regarding sanctions, while the FBI provided the information for another company.
“Some companies lacked clear initial points of contact with the federal government. Depending on their industry, companies were confronted with a patchwork of federal agencies to engage regarding the attacks they faced,” the committee noted, highlighting the importance of having “clearly established federal points of contact.”
Attackers assured the companies that they would honor promises to provide a decryption key and delete their copies of the stolen data when the ransom was paid. But companies had no way of really knowing if the hackers destroyed their copies. The REvil attackers never provided JBS with proof that they had destroyed all copies of the data they stole.
Also, the companies found that while the decryption keys appear to have worked, it is unclear whether using them was the most effective option. Using the keys ran the risk of deleting legitimate files and, in other cases, the keys worked too slowly. CNA recovered its data with the help of consultants who located a repository used by the attackers. Colonial told investigators that it ended up using its own back-up tapes to restore its systems.
Rep. Carolyn B. Maloney, D-N.Y., chair of the Committee on Oversight and Reform, convened a hearing on Nov. 16 on the cyber memo and to hear from federal officials on the government’s strategy for fighting cyber threats.
“Ransomware attacks are a serious threat to our economy, public health, infrastructure, and national security, and recent incidents show the growing number and sophistication of attacks,” Maloney stated.
In addition to the CNA, JBS and Colonial attacks, she cited others involving the SolarWinds and Kaseya as shining “a spotlight on this growing national security threat.”
Maloney expressed concern over the “competing pressures private sector companies—especially those serving critical public functions—and state and local governments face when confronting ransomware attacks, which often lead them to accede to attackers’ demands.”
Chris Inglis, National Cyber Director, one of several government cyber experts testifying before the committee, outlined thestrategy the Biden Administration is pursuing to prioritize and coordinate the government’s efforts and its cooperation with the private sector and other countries to combat cyber attacks.
“That strategy begins with an understanding of what makes ransomware so effective. Ransomware takes advantage of key characteristics of the modern cyber ecosystem,” Inglis told the committee.
Inglis said the government is targeting these areas of the cyber ecosystem that ransomware is exploiting:
- Ransomware actors are able to purchase their tools on the black market and to mount their attacks from leased and disposable cloud-based virtual infrastructure, which they can tear down and rebuild quickly once exposed.
- The systems these criminals target are too often left vulnerable by failures to patch and upgrade, to properly secure data, to create reliable back-ups, or to ensure frontline employees consistently exercise basic cybersecurity practices.
- Inconsistent application of anti-money laundering controls to virtual currencies permits criminals to engage in arbitrage and to leverage permissive jurisdictions to launder the proceeds of their crime.
- Finally, ransomware criminals are too often able to operate with impunity in the nation states where they reside, facing no meaningful accountability for their actions.
“The Administration is bringing the full weight of U.S. government capabilities to disrupt ransomware actors, facilitators, networks and to address the abuse of financial infrastructure to launder ransoms,” Inglis stated.
He said the Administration has called on the private sector to step up its investment in cyber defenses. The government has also set forth expected cybersecurity thresholds and requirements for critical infrastructure.
The government also continues to enforce anti-money laundering controls and laws while working to acquire “new capabilities to trace and interdict ransomware proceeds,” Inglis stated.
Finally, Inglis said the government is working with international partners to disrupt ransomware networks, impose consequences and hold accountable states that allow criminals to operate from within their jurisdictions.
“These are daunting undertakings, and overcoming them will require realizing a digital ecosystem that is resilient by design, a policy and commercial environment that aligns actions to consequences, and ensuring public and private sectors are postured to proactively and decisively collaborate,” the national cyber director told the lawmakers.
On Nov. 8, 2021, DOJ announced charges against two foreign hackers affiliated with the criminal ransomware group REvil, the entity responsible for thousands of ransomware attacks, including on JBS Foods and Kaseya. DOJ also announced that it seized $6.1 million in ransom payments received by the attackers.
According to the committee, in 2020, ransomware attacks on both public and private institutions in the U.S. cost an estimated was $19.5 billion. Additionally, recent data shows that in the first six months of 2021, financial institutions reported $590 million in ransomware-related transactions. Current trends indicate that ransomware transactions in 2021 alone will exceed the previous 10 years combined.
(This article was previously published on the Insurance Journal website. Reporter Andrew G. Simpson is the Chief Content Officer of Wells Media, which publishes Carrier Management and Insurance Journal.)