.png)
CNA Financial Ransomware 2021: $40 Million, The Largest Known Ransomware Payment
Breach Summary
The CNA Financial ransomware attack of March 2021 resulted in the largest known ransomware payment in history — $40 million paid to the Evil Corp-affiliated Phoenix ransomware group — and raised significant concern because CNA is itself a major cyber insurance underwriter, meaning the company that helps other organizations manage cyber risk had paid an unprecedented ransom to resolve its own attack.
What Happened
CNA discovered the attack on March 21, 2021 and disconnected systems globally. The attack disrupted CNA's customer portal, email, and underwriting systems for approximately two weeks. CNA paid the $40 million ransom on May 11, 2021, after two weeks of negotiation. Bloomberg reported the payment amount in May 2021; CNA declined to confirm the figure publicly. The FBI and OFAC investigated. CNA subsequently notified 75,000 individuals whose data was compromised.
Attack Vector Detail
Attackers gained initial access through a fraudulent browser update that an employee downloaded. The payload installed an Evil Corp-affiliated Phoenix ransomware precursor that conducted reconnaissance over several weeks before deploying ransomware. CNA's systems were encrypted and approximately 75,000 individuals' data was exfiltrated before the encryption payload was deployed. CNA negotiated the ransom down from an initial demand of $60 million before paying $40 million in Bitcoin two weeks after the attack.
Breach Pattern Timeline
March 21, 2021
CNA Financial — one of the largest U.S. commercial insurance carriers — detects 'sophisticated cybersecurity attack' on its corporate network. Activates incident response.
March 21-23, 2021
Phoenix Locker ransomware (variant of Hades, attributed to Evil Corp) deploys across CNA's network. CNA takes systems offline including websites, email, customer portals, and policy administration.
March 26, 2021
CNA publicly confirms ransomware attack. Customers report inability to file claims, access policy documents, or contact CNA representatives.
April-May 2021
CNA negotiates with Evil Corp affiliates. Initial demand reportedly $60M; negotiated down.
May 2021
Bloomberg reports CNA paid $40 million in Bitcoin ransom — at the time, the largest publicly known ransomware payment in U.S. history. Payment notable because Evil Corp had been sanctioned by U.S. Treasury OFAC since 2019, raising legal questions about U.S. companies paying sanctioned entities.
June 2021
OFAC issues advisory updating its 2020 ransomware sanctions guidance, signaling stricter enforcement of payments to sanctioned ransomware groups going forward.
July 2021
CNA confirms data exfiltration of customer and employee personal information. Begins notifications to ~75,000 affected individuals.
2022-2024
CNA class action consolidated in federal court. Insurance industry adopts more rigorous cybersecurity underwriting standards directly attributable to CNA precedent. CNA becomes foundational case for OFAC-sanctioned-entity ransomware payment risk.
Total impact: ~75,000 individuals affected, $40M ransom paid (largest publicly disclosed in U.S. at time), foundational precedent for OFAC-sanctioned-entity ransomware payment legal risk and insurance carrier cyber underwriting standards.
Executive Lessons
CNA Financial established that large financial institutions will pay nine-figure ransoms to recover from ransomware if the operational disruption is severe enough. The $40 million payment — the largest known ransomware payment at the time — reflected the business impact of an insurer being unable to underwrite or service policies. It also established that cyber insurers are themselves ransomware targets, creating a specific conflict of interest between insurers' financial interests in avoiding payments and their operational need to restore their own systems.
Related Reading
Private Equity Implications
The CNA breach demonstrated that OFAC sanctions compliance is an incident response requirement, not only a normal business requirement. PE sponsors should ensure portfolio companies' incident response plans include ransomware payment legal review and OFAC sanctions screening as explicit pre-payment steps, and that legal counsel with sanctions expertise is on retainer for rapid engagement during incidents.