Material Impact: NotPetya Ransomware Drives Home Existential Cyber Risk for Corporations
FedEx briefly halted trading of its shares on Wednesday after reports that its TNT subsidiary was hit by NotPetya/ExPetr, a destructive wiper malware. Get ready for more.
FedEx briefly halted trading of its shares on Wednesday after reports that its TNT subsidiary was hit by NotPetya, a destructive wiper malware, in what could be the start of a trend as more destructive attacks ramp up.
In a statement released on Wednesday, FedEx said in that TNT was "significantly affected due to the infiltration of an information system virus." Though the virus was not named it is assumed to be NotPetya/ExPetr, a piece of destructive malware that masquerades as ransomware and began spreading rapidly on Tuesday.
FedEx said that "remediation steps and contingency plans" were being implemented and that "TNT Express domestic country and regional network services are largely operational, but slowed." The company also acknowledged that it was experiencing delays in TNT Express' inter-continental services as a result of the infection. FedEx shares resumed trading shortly after the statement was issued and finished the trading day in positive territory.
However, the temporary hold on trading at a company as large as FedEx due to malicious software may be a first and underscores the seriousness of the NotPetya threat. Companies rarely call for a halt in trading and generally do so only when a development is thought to be material to the company.
The malware appeared initially in Ukraine posing as an official update for financial software and has quickly spread globally, in part by harnessing an exploit dubbed EternalBlue that was developed by the U.S intelligence community. The same vulnerability helped the WannaCry ransomware spread to some 300,000 systems before it was blocked.
But NotPetya is also spreading by other means including the use of stolen user names and passwords.
SEC regulations require publicly traded companies to disclose cyber events that are material to the company, though no clear definition of "materiality" exists. Malware infections are common at large organizations and are not typically considered material. However, NotPetya's destructive capabilities may change that. Operations at many organizations affected by the virus – from supermarkets to advertising agencies – ground to a halt this week as companies struggled to restore data from computers infected by the virus.
Reports and analysis of NotPetya suggest that its purpose is to destroy systems it infects, not to make money for the attackers. Prior ransomware attacks have been disruptive, if only temporarily. That includes infections targeting San Francisco's MUNI and Dozens of National Health Service affiliated hospitals in the U.K.
But Petya is more similar to destructive attacks like Shamoon, the disk wiping malware that targeted Saudi Arabia's ARAMCO national oil company. Such attacks may presage a new, more dangerous phase for publicly traded companies, which are already struggling to stay ahead of fast moving threats.
It's a possibility that has the attention of the Trump Administration. Speaking in Tel Aviv, Israel on Monday, Trump CyberSecurity senior advisor Rob Joyce said destructive attacks like Shamoon were his biggest worry.