Lessons from Ransomware Payments by CNA, JBS and Colonial Pipeline
In March 2021, CNA Financial Corp., one of the country’s largest insurance companies, suffered a ransomware attack from a cybercriminal group called Phoenix.
The attackers pressured the insurer to pay up quickly by raising the ransom demand, claiming the data they had was critical, and promising they would help restore everything if the company paid up.
The hackers originally informed the insurer that the ransom was “999 bitcoins,” or about $55 million. The criminals later upped the price, stating, “Wasting time. The cost went up, 1099 BTC.”
The attackers warned the insurer that the CNA data they had was important. “It will hit hard if leaked,” they wrote. The attackers also told CNA that they would not publish anything or talk to the press about the incident if the company paid the ransom.
CNA reportedly paid a ransom of $40 million in Bitcoin.
The ransomware attack on CNA was among the major attacks reported in 2021. Two others were:
- In May 2021, Colonial Pipeline Co., operators of the pipeline that provides nearly half of the East Coast’s fuel supply, paid DarkSide, a ransomware gang believed to operate out of Russia, $4.4 million in Bitcoin.
- In June 2021, JBS Foods USA, which owns plants that process one-fifth of the country’s meat supply, paid a ransom of $11 million in Bitcoin after it suffered a ransomware attack, which the Federal Bureau of Investigation attributed to the criminal ransomware gang REvil (also known as Sodinokibi).
Colonial and JBS, like CNA, also had to deal with cybercriminals who kept raising the ransom price to pressure them to promptly pay millions of dollars for decryption tools and return of their data.
In each case, the criminals’ strategies included assurances that payment of the ransom would fix the situation, lead to the return of their data, and avoid negative publicity for the company. They promised they would provide decryption keys and delete their copies of the stolen data after the ransom was paid.
How exactly companies were placed under pressure to quickly pay the ransom is one of the key lessons from a Congressional inquiry by the House Committee on Oversight and Reform into multimillion dollar ransomware attacks.
The investigation examined how attackers infect companies’ systems and convince companies to pay millions of dollars for uncertain decryption tools and data return. It also examined how companies attempt to restore compromised systems after the ransom had been paid.
While the committee learned how the crimes unfolded in these cases, it also called for further examination of the factors encouraging ransom payments, “including the role of cyber insurance and the costs companies can face even after paying a ransom, especially when the cybercriminals fail to deliver on their promises.”
A Nov. 16, 2021, memorandum on the investigation from the House Committee on Oversight and Reform identified two other key lessons from the inquiry: small lapses in security led to major breaches and some companies lacked clear initial points of contact with the federal government. The committee said neither the FBI nor the Department of Justice raised any concerns about the committee releasing the information in its memo.
Small Lapses
In all three costly attacks, the cybercriminals appear to have exploited “small failures” in security systems. In the case of Colonial, the attack started with a single stolen password for an old user profile. In the case of JBS, the failure was an old network administrator account that had not been deactivated and had a weak password. CNA’s attackers convinced a single employee to accept a fake web browser update from a commercial website.
Ransomware can move rapidly to cripple IT systems and the attack may not be detected right away. It took CNA two weeks to discover it had been hacked.
“Even large organizations with seemingly robust security systems fell victim to simple initial attacks, highlighting the need to increase security education and take other security measures prior to an attack,” the committee memo states.
Reporting Ransomware
The committee’s investigation revealed that reporting an attack to the government can be a logistical challenge for companies’ and may differ based on the company’s industry. Each of the three companies notified a variety of different federal agencies including law enforcement and faced delays in responses. Colonial contacted at least seven federal agencies or offices. CNA was initially referred to one FBI field office and then referred to another. An email from a JBS official to an FBI field office was passed around to different agents resulting in a several-hours delay in an FBI response. The Treasury Department answered one firm’s questions regarding sanctions, while the FBI provided the information for another company.
“Some companies lacked clear initial points of contact with the federal government. Depending on their industry, companies were confronted with a patchwork of federal agencies to engage regarding the attacks they faced,” the committee noted.
The Aftermath
Attackers assured the companies that they would honor promises to provide a decryption key and delete their copies of the stolen data when the ransom was paid. But companies had no way of really knowing if the hackers destroyed their copies. The REvil attackers never provided JBS with proof that they had destroyed all copies of the data they stole.
Also, the companies found that while the decryption keys appear to have worked, it is unclear whether using them was the most effective option. Using the keys ran the risk of deleting legitimate files and, in other cases, the keys worked too slowly. CNA recovered its data with the help of consultants who located a repository used by the attackers. Colonial told investigators that it ended up using its own back-up tapes to restore its systems.
Committee Hearing
Rep. Carolyn B. Maloney, D-N.Y., chair of the Committee on Oversight and Reform, convened a hearing on Nov. 16 on the cyber memo and to hear from federal officials on the government’s strategy for fighting cyber threats.
“Ransomware attacks are a serious threat to our economy, public health, infrastructure, and national security, and recent incidents show the growing number and sophistication of attacks,” Maloney stated.
In addition to the CNA, JBS and Colonial attacks, she cited others involving the SolarWinds and Kaseya as shining “a spotlight on this growing national security threat.”
Maloney expressed concern over the “competing pressures private sector companies — especially those serving critical public functions — and state and local governments face when confronting ransomware attacks, which often lead them to accede to attackers’ demands.”
Chris Inglis, National Cyber Director, one of several government cyber experts testifying before the committee, outlined the strategy the Biden Administration is pursuing to prioritize and coordinate the government’s efforts and its cooperation with the private sector and other countries to combat cyber attacks.
“That strategy begins with an understanding of what makes ransomware so effective. Ransomware takes advantage of key characteristics of the modern cyber ecosystem,” Inglis told the committee.
“The Administration is bringing the full weight of U.S. government capabilities to disrupt ransomware actors, facilitators, networks and to address the abuse of financial infrastructure to launder ransoms,” Inglis stated.
He said the Administration has called on the private sector to step up its investment in cyber defenses. The government has also set forth expected cybersecurity thresholds and requirements for critical infrastructure. The government also continues to enforce anti-money laundering controls and laws and working with international partners to disrupt ransomware networks, Inglis stated.