The sources also asked not to be identified since they were not authorised to discuss the matter publicly.
When news of the incident first broke in March, CNA described the cyberattack as “sophisticated.” Details were scant, and there was no initial indication that the cyberattack was ransomware in nature.
Read more: CNA hit by cyberattack
Three people familiar with ransomware negotiations told Bloomberg that CNA’s $40 million ransom payment is larger than any previously disclosed payments to hackers.
Bloomberg reached out to CNA for a statement.
“CNA is not commenting on the ransom,” said spokesperson Cara McCall. “CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”
On May 12, CNA explained in a security incident update that it did not have any reason to believe that “systems of record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits – is stored, were impacted.”
The insurer also said that its investigation concluded that the hackers responsible for the cyberattack were from a group called Phoenix. They had used malware called Phoenix Locker, which is a variant of the Hades ransomware used by Russian cybercriminal group Evil Corp.