Skip to content
Subscriber Only

CNA Financial Paid $40 Million in Ransom After March Cyberattack

  • Payment bigger than previously disclosed ransoms, experts say
  • Malware tied to Russian cybergang sanctioned by U.S. in 2019
The CNA headquarters in Chicago.
The CNA headquarters in Chicago.

Photographer: AYNSLEY FLOYD/Bloomberg

CNA Financial Corp., among the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack, according to people with knowledge of the attack.

The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network, according to two people familiar with the attack who asked not to be named because they weren’t authorized to discuss the matter publicly.