A Ransomware Gang Hijacked CNA’s Network via Fake Browser Update

One of the leading insurance companies CNA Financial has given an impression into how Phoenix CryptoLocker operators breached the network, hijack information, and set up the ransomware payloads in a ransomware attack that hit its network in March 2021.

Two months ago, on May 13, CNA said it creates operating “in a fully restored state” after restoring the systems harmed in the attack. As discovered in a legal notice file earlier this month, CNA found a similar timeline of the ransomware attack following researches takes place with the help of third-party security experts hired immediately after discovering the incident.

How do they Hijack the Network using Fake Browser Updates?

As discovered by the US insurer, the threat actor first hijacked an employee’s workstation in March using a fake and malicious browser update transmitted using an appropriate website. The ransomware operator generates elevated rights on the system using the “additional malicious activity” and then moved laterally through CNA’s network, breaching and establishing persistence on more devices.

“Between March 5 and March 20, 2021, the threat actors conducted reconnaissance within CNA’s IT environment using appropriate tools and passwords to bypass detection and to establish persistence,” the legal notice filed with New Hampshire’s Attorney General Office reveals.

“On 20th of March and into March 21, 2021, the attacker disabled monitoring and security equipments; setup and disabled some of the CNA back-ups; and setup the ransomware onto some systems within the surroundings, leading CNA to proactively disconnect systems globally as in immediate containment measures.”

Sources familiar with the attack told to our experts that the Phoenix CryptoLocker encodes more than 15,000 systems after deploying the ransomware payloads on CAN’s network on March 21. We also learned that the ransomware operators encrypted remote worker’s devices logged into the company’s VPN during the attack.

“As above-mentioned to deploy the ransomware, the attacker copied, compressed and staged unstructured information generated from the files shares discovered on three CNA virtual servers; and used MEGAsync, an appropriate tool, to copy certain of the unstructured data from the CNA environment directly into the threat actor’s cloud-based account hosted by Mega NZ Limited,” the organization concluded.

Hijacked Data not sold or Traded with Others

As CNA further founded, the hijacked files consist up of critical information (names Social Security numbers; date of birth, advantages enrollment, and/or medical information) acceptance to employees, former employees, and their dependents, and in roughly 10% of cases, customers.

The researchers also discovered that the attackers only depart information to the MEGAsync account captured with the help of the FBI and Mega. Based on the information given by the cloud storage platform, the hijacked CNA information was not transmitted outside the attacker’s Mega account.

Taking the account the outcomes of the ransomware attack researches, CNA says that “there is no clue that the threat actor viewed, retained or transmits the exported information data and, thus, no risk of harm to individuals coming from the incident.”

Although this conclusion, CNA still decided to alert the harmed individuals earlier this month of a probable data hijacked after the March Phoenix CryptoLocker ransomware attack.


As per the hijacked data filed by CNA with the office of Maine’s Attorney General, this information hijacked affected, 75,349 individuals.

Probable links to Accepted Cybercrime Group

Based on source code analogies, Phoenix Locker is believed to be an advanced ransomware strain developed by the Evil Crop hacking group to bypass actions after victims of WastedLocker ransomware no longer paid ransoms to avoid fines or legal action.

When concerned by our experts about the probable connection between the sanctioned Evil Crop and Phoenix Locker, CNA stated there was no confirmed link. “The threat actor group, Phoenix, responsible for this attack, is not an authorized entity and no US government agency has confirmed a relationship between the group that attacked CNA and any authorized aspect,” the company stated.

Leave a Reply