In the second major cyber attack in as many months, transportation giants A.P. Moller-Maersk Group (“Maersk”) and TNT Express B.V. (“TNT”) (now part of the FedEx family), along with thousands of other entities in various industries, saw their IT systems debilitated by the "NotPetya" ramsonware program that circled the globe in late June. The program apparently exploits the EternalBlue vulnerability in Microsoft Windows-based systems first revealed in leaked NSA documents, though Microsoft has since released a "patch" and major antivirus companies have now updated their software to detect and protect against the "NotPetya" program.
On July 20, Maersk—who suffered outages around the world in all business units—reported its systems were running "close to normal" and had suffered no known third-party data breach or data loss but that a full forensic investigation into the attack was ongoing. Maersk is the largest container ship operator in the world, with more than 600 vessels and 4 million TEU containers under its flag. Maersk subsidiary APM Terminals operates 57 port terminals in 36 countries around the globe and was also heavily impacted by the attack.
TNT has not fared so well after the June attack, with reports of continued delays and service interruptions extending into late July as TNT has implemented manual processing of shipping documentation. On July 17, FedEx filed its 10-K annual report with the SEC, which included a warning that FedEx was "still evaluating the financial impact of the attack, but it is likely that it will be material." In the filing, FedEx acknowledged that they had already experienced revenue losses, as well as increased costs associated with remediation and implementation of contingency plans. According to The Guardian, TNT staff at the company's East Midlands, U.K., hub reported international shipments piled up "to the ceiling" as customer discord continues to grow. FedEx has been unable to estimate how long it will take to restore the impacted systems and has warned that "it is reasonably possible that TNT will be unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted by the virus." FedEx has confirmed that it is uninsured for the loss.
Like Maersk, TNT reports no third-party data breach or data loss is known to have occurred, which comports with industry experts' understanding of how the "NotPetya" program operates.
Despite the gravity of this threat, organizations can take measures to protect themselves if they understand the nature of the threat. The first step in defending against ransomware is being informed of the risk and ensuring employees within the organization are properly trained. Attacks are typically "invited" when a system user within the organization clicks on a link, triggering an executable file or script. Other avenues of attack are found in links located on untrustworthy websites or scripts embedded in certain document types. In all cases, the victim initiates the process by clicking on or opening an infected link or document. To date, this has been the most common path for ransomware to infect an organization’s network. There are, however, several technical and administrative safeguards that can help reduce the risk and damage caused by ransomware programs:
(1) Regular updates—Because ransomware typically exploits known vulnerabilities in operating systems or commonly used programs, regularly running system updates and applying patches can considerably reduce the exposure.
(2) Regular backups—A robust, regularly-tested backup system can almost eliminate the detrimental effect of ransomware. When an infected computer or server can be isolated and the data restored quickly, business operations can often be resumed quickly and without significant adverse impact to the organization.
(3) Incident response/contingency planning—As ransomware is designed to force an organization into a high-pressure, time-critical situation, a well-planned response and contingency scheme is essential to countering a ransomware attack.
(4) Training—As noted above, ransomware is generally designed to infect systems through untrustworthy links or files accessed by employees or others inside the victim organization. As such, system users must be educated in the risk and trained to comprehend the potential consequences of a ransomware attack. In training and educating users, organizations are well served to incentivize users to remain vigilant and always be mindful of potential threats.
Though these safeguards can be relatively inexpensive to implement, many organizations still are not taking the threat seriously. As with any cyber threat, vigilance and planning are absolutely imperative in preparing for a ransomware or other cyber attack. Companies do not have to spend large amounts of money or resources to reduce their risk considerably; however, those that do nothing should expect to pay a hefty price when a cybersecurity event occurs. In addition to the potential for lost revenue and remedial costs following a cyber attack, organizations can expect to see increased scrutiny by regulators and others directly affected by disruption to an organization’s business, such as investors, clients, and consumers.