The Insurance Journal is asking if the NotPetya Windows worm was an act of war. If so, that would change any potential obligations carried by insurance policies towards claimants, in this case Merck & Co. NotPetya took over Windows computers in 2017 but was apparently originally intended to target Ukrainian Windows computers. The rest of the Windows computers may have just been collateral damage.
By the time Deb Dellapena arrived for work at Merck & Co.’s 90-acre campus north of Philadelphia, there was a handwritten sign on the door: The computers are down.
It was worse than it seemed. Some employees who were already at their desks at Merck offices across the U.S. were greeted by an even more unsettling message when they turned on their PCs. A pink font glowed with a warning: “Ooops, your important files are encrypted. … We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment …” The cost was $300 in Bitcoin per computer.
The ransom demand was a ruse. It was designed to make the software locking up many of Merck’s computers—eventually dubbed NotPetya—look like the handiwork of ordinary criminals. In fact, according to Western intelligence agencies, NotPetya was the creation of the GRU, Russia’s military intelligence agency—the same one that had hacked the Democratic National Committee the previous year.
In all, the attack crippled more than 30,000 laptop and desktop [Windows] computers at the global drugmaker, as well as 7,500 servers, according to a person familiar with the matter. Sales, manufacturing, and research units were all hit. One researcher told a colleague she'd lost 15 years of work. Near Dellapena's suburban office, a manufacturing facility that supplies vaccines for the U.S. market had ground to a halt. "For two weeks, there was nothing being done," Dellapena recalls. "Merck is huge. It seemed crazy that something like this could happen."
Earlier on SN:
Windows 7 and Server 2008 End of Support: What Will Change on 14 January? (2020)
Cyber Insurance claims NotPetya was an act of war (2019)
Original Petya Master Decryption Key Released (2017)
(Score: 4, Insightful) by MostCynical on Friday January 17 2020, @02:58AM (9 children)
why, depsite the number of cases of hacking/encryption ransomware attacks/etc, do large companies treat security as an after-thought?
CXOs are all too cool to listen to the "geeks"?
MBAs can see to many dollars (of potential $bonus money) going somewhere-that-isn't-their-pocket?
Also, how is it a researcher could lose 15 years of work? Isn't that the point of off-site, off-network backups?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 3, Insightful) by Coward, Anonymous on Friday January 17 2020, @03:32AM (5 children)
Backup software can be misconfigured. Then people think they are safe, but when they try to restore the backup, it's not there. Do organizations have a check-your-backup day? If not, then some people will lose data.
(Score: 3, Interesting) by Common Joe on Friday January 17 2020, @10:17AM
Indeed. We should ban the word "Backup" and instead call it "Restores".
In more seriousness, we should probably be using the phrase "Backup and Restore" a lot more instead of just "Backups". It would combat a lot of this problem.
(Score: 2) by hendrikboom on Friday January 17 2020, @02:37PM (3 children)
How easy is it on most popular backup programs to check that a restore is possible without putting your primary data at risk in case the backup was corrupt?
(Score: 2) by deimtee on Friday January 17 2020, @08:38PM (2 children)
If you can't restore to alternative hardware then it is not a backup. So the answer is, "as easy as it is to get backup hardware".
Note that if your equipment is expensive, this might not be easy.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 2) by hendrikboom on Saturday January 18 2020, @08:12PM (1 child)
More practical for corporations than for hobbyists. Even one modest laptop can break the budget.
(Score: 2) by deimtee on Sunday January 19 2020, @01:40AM
Yes, but the average hobbyist doesn't have to restore a working corporate environment either. They are generally only concerned that the files are not lost, they can build a new environment.
In either case the equipment does not need to be as powerful and expensive as the original, it just needs to be enough to show the files are accessible. Many of the times someone will need a backup are either hardware failure or lost/stolen equipment. In both cases a backup that needs to go on the original hardware is useless.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 5, Insightful) by c0lo on Friday January 17 2020, @03:36AM (2 children)
Because insurance premiums are lower than paying for proper IT personnel.
This is why this FA is relevant (just a mild-to-low interest for me, though)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 5, Insightful) by sjames on Friday January 17 2020, @05:47AM (1 child)
Unless, of course, the insurance company finds yet another way of weaseling out of payment, then you're high and dry.
(Score: 2) by hendrikboom on Saturday January 18 2020, @08:15PM
Data loss is not usually covered. The insurance company can reasonably say you should have made backups.