Security News > 2021 > July > Ransomware gang breached CNA’s network via fake browser update
Image: Josh Calabrese, CNA. Leading US insurance company CNA Financial has provided a glimpse into how Phoenix CryptoLocker operators breached its network, stole data, and deployed ransomware payloads in a ransomware attack that hit its network in March 2021.
The ransomware operator obtained elevated privileges on the system via "Additional malicious activity" and then moved laterally through CNA's network, breaching and establishing persistence on more devices.
"On March 20 and into March 21, 2021, the Threat Actor disabled monitoring and security tools; destroyed adn disabled certain CNA back-ups; and deployed ransomware onto certain systems within the environment, leading CNA to proactively disconnect systems globally as an immediate containment measure."
Sources familiar with the attack told BleepingComputer that the Phoenix CryptoLocker encrypted more than 15,000 systems after deploying ransomware payloads on CNA's network on March 21.
"Prior to deploying the ransomware, the Threat Actor copied, compressed and staged unstructured data obtained from file shares found on three CNA virtual servers; and used MEGAsync, a legitimate tool, to copy some of that unstructured data from the CNA environment directly into the threat actor's cloud-based account hosted by Mega NZ Limited," the company added.
Taking into account the results of the ransomware attack investigation, CNA says that "There is no evidence that the threat actor viewed, retained or shared the exported data and, thus, no risk of harm to individuals arising from the incident."