Tag Archives: Petya

Fedex Says Cost of Cyber Attack Material

Fedex was one of the companies that announced last month that they were affected by the Petya un-ransomware  (it operated like ransomware, but there was no decryption key, even if you paid the ransom).

It is interesting that most of the time there is some sort of malware attack you do not get much information, but with this incident, we are seeing a lot of information.

In this case, the attack, which happened over a month ago, affected Fedex’s TNT Express unit.  TNT operates in over 200 countries and had revenue of over $8 billion.

Fedex says that the attack will hurt it’s full year results and will be material.  For Fedex, at over $50 billion in revenue, to say the effects of a cyber attack will be material to it’s full year financial results is pretty unusual.

Over a month later, TNT is still experiencing widespread service delays and that it is experiencing a revenue drop and costs associated with dealing with the malware.

Even more amazing, Fedex did not have cyber risk insurance in place to cover the cost of the incident, they say.

They also say that they are still evaluating the financial impact of the attack and have no estimate as to when service at TNT would be back to normal.

Let me see if I can summarize this:

  • a $50 billion company says that the effects of a ransomware attack will be material to their full year financial results
  • Six weeks after the attack they are still experiencing widespread service delays
  • They do not know when service will be back to normal
  • And, they had no insurance to cover the incident

I seriously doubt that this will have any long financial effect for Fedex, but I am sure that their corporate ego is seriously bruised.  I anticipate that many of the customers that moved to other carriers like DHL and UPS after the service disruption will never come back to Fedex.

Ponder this one for a moment.

If YOUR company suffered ransomware attack like Fedex did, how long would it take you to recover?  How many customers would  you lose?  Could you afford the cost of the event or would it be life altering to the company?

The good news for Fedex is that even if it costs them $10 million , $100 million or even $500 million, they will be able to weather the storm.

Would YOUR company be able to say the same?

Information for this post came from Reuters.

The Fallout From a Ransomware Attack

We have heard from two big name firms who succumbed to the recent Petya/NotPetya ransomware attack and they provide interesting insights into dealing with the attack.

First a quick background.  A week ago the world was coming to grips with a new ransomware attack.  Initially called Petya because it looked like a strain of the Petya ransomware, but then called NotPetya because it became clear that it was an attempt to look like Petya but really was not the same malware.

One major difference is that it appears that this malware was just designed to inflict as much pain as possible.  And it did.

While we have no idea of all the pain it inflicted, we do have a couple of very high profile pain points.

The first case study is DLA Piper.  DLA Piper is a global law firm with offices in 40 countries and over 4,000 lawyers.

However, last week, this is what employees saw on their screens:

When employees came to work in the London office, they were greeted with this sign in the lobby:

Suffice it to say, this is not what attorneys in the firm needed when they had trials to attend to, motions to file and clients to talk to.

To further their embarrassment, DLA Piper had jumped on the WannaCry band wagon telling everyone how wonderful their cyber security practice was and that people should hire them.  Now they were on the other side of the problem.

In today’s world of social media, that sign in the lobby of DLA Piper’s London office went viral instantly and DLA Piper was not really ready to respond.  Their response said that client data was not hacked.  No one said that it was.

As of last Thursday, 3+ days into the attack, DLA Piper was not back online. Email was still out, for example.

If client documents were DESTROYED in the attack because they were sitting on staff workstations which were attacked, then they would need to go back to clients and tell them that their data wasn’t as safe as the client might have thought and would they please send them another copy.

If there were court pleadings due, they would have to beg the mercy of the court – and their adversaries – and ask for extensions.  The court likely would grant them, but it certainly wouldn’t help their case.

The second very public case is the Danish mega-shipping company A.P. Moller-Maersk.

They also were taken out by the NotPetya malware but in their case they had two problems.

Number one was the computer systems that controlled their huge container ships were down, making it impossible to load or unload ships.

The second problem was that another division of the company runs many of the big ports around the world and those port operations were down as well.  That means that even container ships of competing shipping companies could not unload at those ports.  Ports affected were located in the United States, India, Spain and The Netherlands.  The South Florida Container Terminal, for example, said that it could not deliver dry cargo and no container would be received.  At the JPNT port near Mumbai, India, they said that they did not know when the terminal would be running smoothly.

Well now we do have more information.  As of Monday (yesterday), Maersk said it had restored its major applications.  Maersk said on Friday that it expected client facing systems to return to normal by Monday and was resuming deliveries at its major ports.

You may ask why am I spilling so much virtual ink on this story (I already wrote about it once).  The answer is if these mega companies were not prepared for a major outage then smaller companies are likely not prepared either.

While we have not seen financial numbers from either of these firms as to the cost of recovering from these attacks, it is likely in the multiple millions of dollars, if not more, for each of them.

And, they were effectively out of business for a week or more.  Notice that Maersk said that major customer facing applications were back online after a week.  What about the rest of their application suite?

Since ransomware – or in this case destructoware since there was no way to reverse the encryption even if you paid the ransom – is a huge problem around the world, the likelihood of your firm being hit is much higher than anyone would like.


If you get hit with an attack and you don’t have these plans in place, trained and tested, it is not going to be a fun couple of weeks.  Assuming you are still in business.  When Sony got attacked it took them three months to get basic systems back online.  Sony had a plan – it just had not been updated in six years.

Will you be able to survive the effects of this kind of attack?

Information for this post came from Fortune, Reuters and another Reuters article.

Petya Ransomware – A New Low

After the WannaCry Ransomware affected businesses in 150 countries last month, you would think that people would have learned.  Apparently not.

The Petya ransomware doesn’t encrypt files, it encrypts the whole disk.

Unlike typical ransomware that picks selected files (like Word or Excel files), instead this ransomware replaces the Master Boot Record or MBR and forces Windows to reboot.  When Windows loads the fake MBR, it launches something that looks like CHKDSK, a Windows utility that is used to fix disk problems.  Except, in this case, what it is really doing is encrypting the Master File Table or MFT.  Unlike typical ransomware that can take a long time to encrypt files one at a time, Petya can encypt the MFT in less than a second, making the whole disk unreadable.  POOF!

Companies – big companies – in many countries have been affected:

  • WPP, the British based worldwide advertising company
  • Law firm DLA Piper
  • Danish shipping firm Maersk

And many, many others.

It appears to have started with an infected software update from an Ukraine accounting software firm according to many experts.  The firm denies that.  Time will tell.

In the mean time the infection is going viral in Ukraine, who is blaming Russia, but Russian government computers are also being infected.  In fact, Ukraine and Russia represent the largest concentration of infections.

Why do these ransomware attacks seem to gain steam in Eastern Europe and Asia.  It is not clear to me, but one possibility is that there is a lot of pirated operating system software in that part of the world and those users cannot get patches.  That is a possible explanation.

Like WannaCry, there is a way to stop the propagation, but unlike WannaCry, a file needs to be installed on each and every computer.  And it only minimizes the damage, it doesn’t eliminate it.

Now here is the bad news.  The hackers are asking for $300 in Bitcoin to unlock the computer.  It asks you to communicate with the hackers via an email address and it provides a bitcoin wallet – the same wallet for every user.

But here is the problem.  The email address used by the hacker is hosted on Posteo, a German ISP.  They have decided to cancel the user’s account for violating their terms of service.  That means that there is no way to communicate with the hackers and no way to get a decryption key.

Of course, if the hackers wanted to, they could publicize another email address anonymously.

But, maybe, they don’t want to.

If, as suspected, this is the work of Russia to destabilize Ukraine and if a little collateral damage in Russia provides cover, Russia probably figures that is OK.  If this is the case, then they don’t want people to be able to recover.

In this case, unlike some other ransomware attacks, having good backups is all you need.  Format the disk and restore from your backup and you are good to go.

So what is the moral?

Backups are still critical for recovering from many ransomware attacks and HOW LONG IT TAKES to recover is the next most important thing.  If you can restore but it takes you a week to get back to work, that is a problem.

Do you know how long it would take your company to recover from a major ransomware attack?  Important question.

Information for this post came from The Guardian, Bleeping Computer and Risk Based Security.