The US pharmaceutical company Merck revealed that the massive NotPetya cyberattack has disrupted its worldwide operations.
The news was part of the Merck’s financial results announcement for the second quarter of 2017, according to the pharmaceutical giant the ransomware destructed operations in several critical sectors, including manufacturing, research, and sales.
The company didn’t disclose details on the cyber attacks, it believes that the NotPetya ransomware was the threat that hit the company on June 27th affecting tens of thousands of systems in more than 65 countries.
The analysis conducted on the ransomware reveals the threat was designed to look like ransomware but was wiper malware designed for sabotage purpose.
Researchers Matt Suiche, founder at Comae Technologies, explained that the analysis conducted by his team on Petya samples used in the attack revealed its wiper capabilities.
“we noticed that the current implementation that massively infected multiple entities in Ukraine was in fact a wiper which just trashed the 24 first sector blocks of the disk while replicating itself. Some noted that this was mainly slack space as only the first sector is relevant for most of machines — except few exceptions. ” states the analysis published by Comae Technologies.
“We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCryincidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon.”
Attackers might have used a diversionary strategy hide a state-sponsored attack on Ukraine critical infrastructure.
Experts from Kaspersky’s conducted a similar research that led to a similar conclusion.
Unlike other ransomware, Petya does not encrypt files on the infected systems but targets the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable.
Petya locks the access to the users’ data by encrypting the master file table (MFT) and replaces the computer’s MBR with its own malicious code that displays the ransom note.
Petya overwrites the MBR of the hard drive causing Windows to crash. When the victim tries to reboot the PC, it will impossible to load the OS, even in Safe Mode.
The name of Merck was circulating on the internet shortly after the attack as one of the numerous victims of the NotPetya attack worldwide. Other major companies affected by the NotPetya attack were the Ukraine’s central bank, Russian oil giant Rosneft, advertising group WPP, the shipping giant A.P. Moller-Maersk, TNT Express and the law firm DLA Piper.
The company said it had still been working on restoring operations and minimizing the effects of the incident.
The company confirmed it had still been working on restoring operations:
“The company is in the process of restoring its manufacturing operations. To date, Merck has largely restored its packaging operations and has partially restored its formulation operations,” Merck said. “The company is in the process of restoring its Active Pharmaceutical Ingredient operations but is not yet producing bulk product. The company’s external manufacturing was not impacted. Throughout this time, Merck has continued to fulfill orders and ship product.”
Cyber attacks could have a significant impact on businesses, and two of the world’s largest consumer goods companies confirmed it. On July the companies Mondelez and Reckitt Benckiser warned of the impact of the NotPetya attack on their revenues.
The Mondelez International company estimated the NotPetya attack would cut three percentage points from second-quarter sales growth because of disruptions to shipping and invoices caused by the cyber attack.
the Reckitt Benckiser, the maker of Nurofen painkillers and Durex condoms, said it expected sales would be hit Q2 by an estimated £110m this year.
(Security Affairs – NotPetya ransomware,Merck)