Skip to content

Subscriber Only

Cybersecurity

CNA Financial Paid $40 Million in Ransom After March Cyberattack

Payment bigger than previously disclosed ransoms, experts say
Malware tied to Russian cybergang sanctioned by U.S. in 2019

The CNA headquarters in Chicago. — The CNA headquarters in Chicago.
Photographer: AYNSLEY FLOYD/Bloomberg

By

Kartikay Mehrotra and

May 20, 2021, 7:57 PM UTC

CNA Financial Corp., among the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack, according to people with knowledge of the attack.

The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network, according to two people familiar with the attack who asked not to be named because they weren’t authorized to discuss the matter publicly.