The NotPetya Ransomware made its way to the headlines on June 27, 2017, when the Danish business conglomerate Maersk announced they were a victim of one of the most malicious variants of ransomware, NotPetya. This ransomware also compromised numerous victims including some of the largest worldwide corporations including Merck, FedEx, Saint-Gobain, Mondelez, and Rechitt Benckiser.
NotPetya was given its name from its resemblance to the ransomware known as Petya. Petya came into the spotlight in early 2016 and was used to compromise victims with ransomware and instructed how to pay the ransom in bitcoin in exchange for the decryption key. This new variant, NotPetya also did the same, yet it included many additional features to allow it to self-propagate and infect additional systems. NotPetya also has a close resemblance to the WannaCry ransomware which spread through the internet roughly 6 weeks earlier, in that they both leveraged the exploit tools known as EternalBlue which allowed for the ransomware to propagate through open File Shares on the internal network. Once a file share has been identified the malware was able to copy itself to the new host and encrypt the Master Boot Record (MBR) of the hard drive, and the process continued.
One of the companies that suffered a significant financial loss as a result of NotPetya was Maersk. Maesrk, the international shipping giant Maersk is responsible for 76 international ports and transports nearly 20 percent of the world’s trade goods, was also compromised. By the time Maersk responded to this cyber-attack by shutting down their entire network, they had accumulated a loss of $300 million dollars due to serious business disruption, but also was force to reinstall 4, 000 servers and 45, 000 workstations. This sent shockwaves around globe and had security experts on high alert.
The estimated loss reported by Maersk, put the company 4th on the list of victims that were hit the hardest by NotPetya. Pharmaceutical company Merck, had the highest reporting loss at $870 million dollars. Followed by FedEx reporting a loss of $400 million and a French construction company Saint-Gobain reporting a loss of $384 million dollars. According to the estimate provided by the White House, the total estimated damages from NotPetya in 2017, reached $10 billion dollars.
Mondelez International was also in the list victims of NotPetya in 2017. In 2018, Mondelez International filed a lawsuit against the American insurance company Zurich, for breach of contract after Zurich had rejected the $100-million-dollar insurance claim for damage caused by the NotPetya ransomware. Zurich claimed that the attack was an act of war which was an exclusion in their insurance policy. Zurich’s policy excludes “loss or damage” caused by a “hostile or warlike action in time of peace or war” by any government or sovereign power, military and agent of authority of any party specified previously. The UK, US, Canada, Australia and New Zealand all accused Russia for the destructive cyber-attack. The attack was very likely associated with Russia’s ongoing conflict with Ukraine, however there hasn’t been any proof provided to support the assertion.
These large scale cyber-attacks occur often, and typically leverage newly discovered zero-day exploits. When these exploits are launched, victims are left completely unaware and exploited without warning. Even with cyber insurance, such as that of Mondelez this comes with its own challenges as well.
A holistic, strong and resilient cyber-security program is needed to help defend against these types of opportunistic threat actors. Luckily for those mentioned in this article were “resilient enough” to deal with the ransomware outbreak, but there are also many others who were not. Either way this attacks never end well and for those not so lucky, and many were forced to close within the months to follow.