Insurance giant CNA has suffered a ransomware attack using a new variant called Phoenix CryptoLocker which is possibly linked to the Evil Corp hacking group.
CNA confirmed that the sophisticated cyberattack had caused a network disruption and impacted certain systems, including corporate email, last weekend.
The attack was caused by a new ransomware known as ‘Phoenix CryptoLocker.’ The attackers deployed the ransomware on CNA’s network on March 21, where it proceeded to encrypt over 15,000 devices on their network.
It also encrypted the computers of employees working remotely who were logged into the company’s VPN at the time of the attack.
While encrypting devices, the ransomware appended the .phoenix extension to encrypted files and created a ransom note named PHOENIX-HELP.txt.
According to sources, Phoenix Locker is believed to be a new ransomware family released by Evil Corp due to the similarities in the code.
Evil Corp earlier used the WastedLocker ransomware when conducting attacks against compromised organizations.
Since the US government sanctioned the hacking group in 2019, most ransomware negotiation firms would no longer facilitate WastedLocker ransom payments to avoid facing fines or legal action.
Based on some new repots, the Evil Corp hacking group switched to a new ransomware family called Hades to bypass the US sanctions.
The new Hades ransomware family which has been seen in multiple attacks since then, is found to be a rebranded version of previously used WastedLocker ransomware.
The new Phoenix Locker ransomware used in the CNA attack is believed to be another Evil Corp spinoff.
However, the threat actor group, Phoenix, responsible for this attack, is not a sanctioned entity and no U.S. government agency has confirmed a relationship between the group that attacked CNA and any sanctioned entity.
It is not known at the moment whether the attackers have stolen unencrypted files before encrypting CNA’s devices or not.
The company has notified the FBI of this incident and are actively cooperating with them and the investigation process is ongoing.
Ransomware gangs find it a good option to conduct attacks on companies with cyberinsurance policies as the insurance companies may be more likely to pay the ransom.