Well, this story is not specifically about the drug industry, although anything that shuts Merck down for two weeks, costs them around a billion dollars, and disrupts the US drug supply chain certainly has some relevance to it (!) I’m talking about the 2017 NotPetya ransomware attack. Merck was one of the high-profile corporate victims (along with FedEx and the shipping company Maersk, just for starters), but none of these are believed to have been its actual targets.
NotPetya was actually Russian malware aimed at the Ukrainian government and economy (that link will take you through the details, which are numerous and often quite surprising). The broader Merck infrastructure was contaminated through a server in their Ukraine office, and you can trace the other worldwide problems back similarly. It should be noted that although the software was certainly aimed at Ukraine, it was also built to spread rapidly and indiscriminately. We can assume that the non-Ukrainian damage caused by NotPetya was of no concern whatsoever to its authors and indeed was probably just another feature.
This is the main example (that I’m aware of, anyway) of state-sponsored ransomware; most of that stuff that’s floating around seems to be the work of criminals just trying to turn a buck. If that’s not a software category you’re familiar with then prepare to be appalled. A machine infected with such a program will display only a single message on its screen: an announcement that your hard drive has been encrypted, and that there is no way for you to undo it other than sending some untraceable payment (such as Bitcoin) to a specific destination, whereupon the decryption key will be provided. Sometimes there is a time limit placed on your decision – unless you pay up before the deadline, your screen informs you, you will never be able to retrieve any of your files at all.
As that article describes, tens of thousands of laptops, desktops, and servers across the Merck organization were displaying just such a message in attention-getting pink-on-black lettering on the morning of June 27, 2017. If that sounds like an absolute IT nightmare, then you have evaluated the situation correctly. Large parts of their business came to an immediate halt. The company was unable, for example, to meet production of the Gardasil vaccine, and had to request supplies from the US government’s stockpile – totally depleting it, in fact, although over the next year the company was able to replenish. Damage estimates from the company, as mentioned, are around a billion dollars, and they have turned to their insurance providers. Who are refusing to pay.
That’s because the insurance companies are claiming that this was an act of war, an attack of a country upon another country, and their policies clearly state that such damages are not covered. Merck is responding that they were not at war with anyone, and that Rahway, NJ is a long way from the front lines of any battles anywhere. As you can well believe, this dispute is now in the courts, and is being watched with great interest by the insurance industry and cybersecurity firms. The situation is not made clearer by the fact that most of these insurance policies do not explicitly address such cyberattacks at all, so it comes down to arguing about language that wasn’t designed to deal with the situation at hand.
(Edit: I’ve revised this paragraph and others since the post went up, with more details about the NotPetya software). Ransomware is a very messy business, and there are numerous instances of companies, individuals, and even government offices paying up because they see no alternative, and the cost of the downtime exceeds the ransom demand itself. The FBI’s stance has always been “Don’t pay”, but they’ve recently revised that advice to “If you do pay, please tell us about the incident anyway”. Their well-justified fear is that they’re not even hearing about many such incidents because people pay up quietly. And as it turns out, hiring some of the security firms that promise to deal with such attacks can mean that you’re paying up anyway, whether you realize it or not. Many of these places secretly pay off the hackers or have paid them off in the past and obtained some decryption keys that way, despite any talk of using their latest proprietary technology to recover your files.
Now, when you’re dealing with the run-of-the-mill ransomware operators, there are sometimes flaws in their software that can be exploited, and as it happens there’s a guy in Illinois who is leading an effort to deal with these (a very interesting story and well worth a read). But that’s surely not the case with the Russian state-backed software. In fact, the ransom demand that NotPetya made was bogus: the computers it infected were, as far as I can see, irreversibly encrypted. There’s no insight into what happened when people did try to pay up, but it seems certain that none of these payments accomplished anything. The software was designed to be purely destructive.
Merck will be arguing its case for some time, and one can expect an appeal no matter what happens. The drug industry has inadvertently found itself at the forefront of cybercrime litigation, but who knows what the landscape will look like by the time this particular point has finally been decided?
