CNA Financial Corp. paid $40 million in late March to regain control of its network after a ransomware attack, according to people with knowledge of the attack.

The company, one of the largest commercial property-casualty insurance companies in the U.S. generating $10.8 billion in revenue last year, paid the hackers approximately two weeks after a trove of company data was stolen and CNA officials were locked out of their network, according to reports.

The $40 million payment is bigger than any previously disclosed payment to hackers, with the average payment in 2020 of $312,493, according to Palo Alto Networks.

The CNA hackers used malware called Phoenix Locker, a variant of ransomware dubbed “Hades," which was created by a Russian cybercrime syndicate known as Evil Corp. The criminal gang was sanctioned by the U.S. in 2019, a designation by the Treasury Department that makes it illegal for a U.S. company to knowingly pay a ransom to Evil Corp.

However, CNA said its investigation concluded that the hackers were a group called Phoenix that isn't subject to U.S. sanctions.

While the FBI discourages organizations from making ransom payments because it encourages additional cyberattacks and doesn't guarantee the return of data, a CNA spokesperson said that the company followed the law and consulted with the FBI and the Treasury Department's Office of Foreign Assets Control about the attack.

“CNA is not commenting on the ransom," spokeswoman Cara McCall said. “CNA followed all laws, regulations, and published guidance, including OFAC's 2020 ransomware guidance, in its handling of this matter."

In a security incident update published on May 12, CNA said it did “not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data—including policy terms and coverage limits—is stored, were impacted."

AnneMarie McPherson is IA news editor.