CNA Financial Corp. refused to comment late Thursday on a Bloomberg report that it paid $ 40 million to hackers to regain control of its systems after being hit by a ransomware attack in March.
Citing "people with knowledge of the attack," Newswire said that the CNA initially ignored the hacker's demand for a $ 60 million ransom but began negotiations within a week.
The CNA declined to say whether it paid a ransom but noted that the group carrying out the attack was not on the US Government's list of sanctioned entities that it was banned from dealing with.
In a statement, the insurer said: "CNA does not comment on the redemption, but the company consulted and shared intelligence with the FBI and OFAC regarding the cyber incident and the identity of the threat actor. CNA complied with all laws, regulations and published guidelines, including OFAC's guidelines for ransomware 2020, in its handling of this issue. The work with due diligence concludes that the threat actor responsible for the attack is a group called Phoenix. Phoenix is not on any banned party list and is not a sanctioned entity. "
The US Treasury & # 39 ;s Office of Foreign Assets Control last October provided guidance to companies on facilitating ransomware payments.
Among other things, the guide states: "US persons are generally prohibited from conducting transactions, directly or indirectly, with individuals or entities (" persons ") on OFAC's list of specially adapted citizens and blocked persons (SDN list) , other blocked persons and those subject to extensive land or regional embargoes (eg Cuba, Crimea in Ukraine, Iran, North Korea and Syria).
The CNA disconnected its systems at the end of March after revealing that it was the subject of a cyber attack. Its corporate website remained down for two weeks.