We have heard from two big name firms who succumbed to the recent Petya/NotPetya ransomware attack and they provide interesting insights into dealing with the attack.
First a quick background. A week ago the world was coming to grips with a new ransomware attack. Initially called Petya because it looked like a strain of the Petya ransomware, but then called NotPetya because it became clear that it was an attempt to look like Petya but really was not the same malware.
One major difference is that it appears that this malware was just designed to inflict as much pain as possible. And it did.
While we have no idea of all the pain it inflicted, we do have a couple of very high profile pain points.
The first case study is DLA Piper. DLA Piper is a global law firm with offices in 40 countries and over 4,000 lawyers.
However, last week, this is what employees saw on their screens:
When employees came to work in the London office, they were greeted with this sign in the lobby:
Suffice it to say, this is not what attorneys in the firm needed when they had trials to attend to, motions to file and clients to talk to.
To further their embarrassment, DLA Piper had jumped on the WannaCry band wagon telling everyone how wonderful their cyber security practice was and that people should hire them. Now they were on the other side of the problem.
In today’s world of social media, that sign in the lobby of DLA Piper’s London office went viral instantly and DLA Piper was not really ready to respond. Their response said that client data was not hacked. No one said that it was.
As of last Thursday, 3+ days into the attack, DLA Piper was not back online. Email was still out, for example.
If client documents were DESTROYED in the attack because they were sitting on staff workstations which were attacked, then they would need to go back to clients and tell them that their data wasn’t as safe as the client might have thought and would they please send them another copy.
If there were court pleadings due, they would have to beg the mercy of the court – and their adversaries – and ask for extensions. The court likely would grant them, but it certainly wouldn’t help their case.
The second very public case is the Danish mega-shipping company A.P. Moller-Maersk.
They also were taken out by the NotPetya malware but in their case they had two problems.
Number one was the computer systems that controlled their huge container ships were down, making it impossible to load or unload ships.
The second problem was that another division of the company runs many of the big ports around the world and those port operations were down as well. That means that even container ships of competing shipping companies could not unload at those ports. Ports affected were located in the United States, India, Spain and The Netherlands. The South Florida Container Terminal, for example, said that it could not deliver dry cargo and no container would be received. At the JPNT port near Mumbai, India, they said that they did not know when the terminal would be running smoothly.
Well now we do have more information. As of Monday (yesterday), Maersk said it had restored its major applications. Maersk said on Friday that it expected client facing systems to return to normal by Monday and was resuming deliveries at its major ports.
You may ask why am I spilling so much virtual ink on this story (I already wrote about it once). The answer is if these mega companies were not prepared for a major outage then smaller companies are likely not prepared either.
While we have not seen financial numbers from either of these firms as to the cost of recovering from these attacks, it is likely in the multiple millions of dollars, if not more, for each of them.
And, they were effectively out of business for a week or more. Notice that Maersk said that major customer facing applications were back online after a week. What about the rest of their application suite?
Since ransomware – or in this case destructoware since there was no way to reverse the encryption even if you paid the ransom – is a huge problem around the world, the likelihood of your firm being hit is much higher than anyone would like.
Now is the time to create your INCIDENT RESPONSE PLAN, your DISASTER RECOVERY PLAN and your BUSINESS CONTINUITY PLAN.
If you get hit with an attack and you don’t have these plans in place, trained and tested, it is not going to be a fun couple of weeks. Assuming you are still in business. When Sony got attacked it took them three months to get basic systems back online. Sony had a plan – it just had not been updated in six years.
Will you be able to survive the effects of this kind of attack?