CNA Financial Paid $40M After Phishing Malware Gave Attackers Free Run

Attackers from the Phoenix group, also known as Evil Corp, sent a phishing email that convinced a CNA Financial employee to install malware disguised as a browser update. Once the malware ran, the attackers had working credentials and network access that let them exfiltrate data and deploy ransomware across the environment. CNA ultimately paid a record $40 million ransom to regain control.

A single phishing email tricked a CNA Financial employee into running what looked like a browser update. The payload installed malware that harvested credentials and sessions from an already-authenticated workstation. Attackers then moved laterally, located valuable data, and deployed ransomware that ultimately led to a $40 million payment.

How the Phishing Email Created the First Foothold

The attack began with a targeted phishing message that directed the recipient to what appeared to be a routine browser update. Running the payload installed malware on the endpoint. That single action gave the attackers both a local presence and whatever credentials the machine could reach.

No second factor stood between the employee and the malware execution because the vector was social engineering, not a login prompt. Even a time-based OTP or push notification would not have stopped this attack. The employee was not authenticating to a service at the moment of compromise; they were executing code. The credential theft happened after the malware was already running.

What the Malware Enabled Once It Was Inside

With code execution on the compromised workstation, the attackers harvested stored credentials and moved laterally. They reached additional systems without triggering fresh interactive logins at each step. The sessions and tokens they obtained worked because authentication had already occurred on the legitimate user's behalf.

This phase of the breach happened after authentication. Stolen tokens required no further authentication barrier, so any factor tied to the original login offered no protection. The attackers used the foothold to locate and exfiltrate data before deploying ransomware. CNA later disclosed the incident and confirmed payment of the $40 million ransom.

Why the Damage Spread So Far

Once the attackers controlled accounts with existing sessions, they operated inside the network as those accounts. Lateral movement and data access did not require new credential submissions that a second factor could have challenged. The ransomware deployment followed the same path.

The initial phishing success turned a single workstation into an entry point that reached the broader environment. Because the compromise occurred before any authentication step, factors placed at login time never entered the equation for that first machine.

The same playbook hit other organizations in prior incidents. Device-bound keys close this replay path when the next login attempt actually occurs.

FAQ

Did CNA Financial have MFA anywhere in the environment?

Public reporting on the CNA Financial ransomware attack does not detail MFA deployment. The documented initial vector was a phishing email that delivered malware through a fake browser update, bypassing any login process entirely.

Would a hardware token have prevented the CNA Financial breach?

A hardware token would not have blocked the CNA Financial ransomware attack at the first stage. The employee was tricked into running malware, not asked to approve a login. Once the malware executed, later movement relied on already-authenticated sessions rather than new credential submissions.

How did the attackers reach ransomware deployment inside CNA Financial?

After the malware ran on the initial workstation, the attackers harvested credentials and used existing sessions to move through the network. Data exfiltration and ransomware deployment occurred without additional interactive logins that would have required fresh authentication.

What made the $40 million ransom the largest reported at the time?

CNA Financial disclosed the payment after Phoenix group operators encrypted systems and stole data. The attackers had maintained access long enough to locate high-value targets before the ransom demand was issued.