{ "id": "736b9e99-f1ea-4002-9db2-8099ff5fa90a", "created_at": "2026-04-06T00:06:18.891259Z", "updated_at": "2026-04-10T13:11:18.886299Z", "deleted_at": null, "sha1_hash": "ae0310200abb36ddee0db1a6e459120bb3f71463", "title": "Insurance giant CNA hit by new Phoenix CryptoLocker ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3931518, "plain_text": "Insurance giant CNA hit by new Phoenix CryptoLocker ransomware\r\nBy Lawrence Abrams\r\nPublished: 2021-03-25 · Archived: 2026-04-05 21:10:39 UTC\r\nInsurance giant CNA has suffered a ransomware attack using a new variant called Phoenix CryptoLocker that is possibly\r\nlinked to the Evil Corp hacking group.\r\nThis week, BleepingComputer reported that CNA had suffered a cyberattack impacting their online services and business\r\noperations.\r\nCNA website outage caused by the ransomware attack\r\nSoon after we reported on the attack, CNA issued a statement confirming that they had suffered a cyber attack last weekend.\r\nhttps://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\n\"On March 21, 2021, CNA determined that it sustained a sophisticated cybersecurity attack. The attack caused a network\r\ndisruption and impacted certain CNA systems, including corporate email,\" CNA disclosed in a statement.\r\nIf you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal\r\nat +16469613731 or on Wire at @lawrenceabrams-bc.\r\nCNA hit by a ransomware attack\r\nSince our first reporting, BleepingComputer has confirmed that CNA suffered an attack by a new ransomware known as\r\n'Phoenix CryptoLocker.'\r\nSources familiar with the attack have told BleepingComputer that the threat actors deployed the ransomware on CNA's\r\nnetwork on March 21, where it proceeded to encrypt over 15,000 devices on their network.\r\nBleepingComputer has learned that it also encrypted the computers of employees working remotely who were logged into\r\nthe company's VPN at the time of the attack.\r\nWhen encrypting devices, the ransomware appended the .phoenix extension to encrypted files and created a ransom\r\nnote named PHOENIX-HELP.txt, as shown below.\r\nRansom note created during CNA ransomware attack\r\nBleepingComputer was further told that CNA would be restoring from backups but has not confirmed that with the\r\ncompany.\r\nPossible links to Evil Corp\r\nA source has told BleepingComputer that Phoenix Locker is believed to be a new ransomware family released by Evil Corp\r\nbased on similarities in the code.\r\nEvil Corp historically used the WastedLocker ransomware when conducting attacks against compromised organizations.\r\nSince the US government sanctioned the hacking group in 2019, most ransomware negotiation firms would no longer\r\nfacilitate WastedLocker ransom payments to avoid facing fines or legal action.\r\nhttps://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/\r\nPage 3 of 5\n\nAccording to a recent CrowdStrike report, the Evil Corp hacking group switched to a new ransomware family called Hades\r\nto bypass the US sanctions.\r\nHades Tor site\r\nThe new Hades ransomware family has been seen in multiple attacks since then, including a ransomware attack on trucking\r\ngiant Forward Air.\r\nHowever, CrowdStrike's analysis has shown that Hades is simply a rebranded version of their previously used WastedLocker\r\nransomware.\r\nThe new Phoenix Locker ransomware used in the CNA attack is believed to be another Evil Corp spinoff.\r\nWhen BleepingComputer asked CNA about a connection between the sanctioned Evil Corp and the Phoenix group, they\r\nreplied that there was no confirmed nexus.\r\n\"The threat actor group, Phoenix, responsible for this attack, is not a sanctioned entity and no U.S. government\r\nagency has confirmed a relationship between the group that attacked CNA and any sanctioned entity. We have\r\nnotified the FBI of this incident and are actively cooperating with them as they conduct their investigation of the\r\nincident.\"\r\nCyberinsurance companies are a valuable target\r\nThe attack on CNA could have tremendous impact on other companies, especially those that have cyberinsurance policies\r\nthrough the company.\r\nConducting attacks on companies with cyberinsurance policies are often lucrative for ransomware gangs as the insurance\r\ncompanies may be more likely to pay the ransom.\r\nThere could be no better way to create a list of insured companies to target than to hack an insurer's network and steal policy\r\ninformation about their customers.\r\nUsing this information, a ransomware operation can create a list of insured companies and their policy limits. The\r\nransomware operators could then create ransom demands tailored around a particular victim's policy coverage.\r\nAt this time, it is not known if the threat actors stole unencrypted files before encrypting CNA's devices.\r\nHowever, stealing unencrypted data has become a common tactic used by ransomware operations, so it is likely that some\r\ndata was stolen during the attack.\r\nhttps://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/\r\nhttps://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/" ], "report_names": [ "insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433978, "ts_updated_at": 1775826678, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae0310200abb36ddee0db1a6e459120bb3f71463.pdf", "text": "https://archive.orkl.eu/ae0310200abb36ddee0db1a6e459120bb3f71463.txt", "img": "https://archive.orkl.eu/ae0310200abb36ddee0db1a6e459120bb3f71463.jpg" } }