NotPetya attack disrupts infrastructure and business

01 August 2017

Less than two months after WannaCry crippled more than 200,000 computers across 150 countries, another ransomware attack has caused major disruption around the world.

Advertising agencies, law firms, pharmaceutical, aerospace, retail, food, energy, logistics and shipping companies around the world were infected. Critical infrastructure, including a number of airports and sea ports, energy companies, banks and government agencies, were also temporarily put out of action by the malware. Risk-modelling firm Cyence and Lloyd’s estimated that NotPetya had caused some USD 850 million in economic damage globally. The cost of WannaCry, however, is estimated at USD 8 billion. Companies continued to experience disruption from NotPetya three weeks after the initial attack. Two US hospitals were said to be experiencing issues while a number of businesses were still clearing backlogs and dealing with manual workarounds, according to a BBC report.

Material Impact

Logistics company FedEx Corp said that the disruption caused to its TNT Express unit by the ransomware attack is likely to have a “material” impact on its full-year results. The announcement caused a 3.4% drop in FedEx’s share price. As a result of the cyber attack, FedEx said it had lost revenues and incurred incremental costs from contingency plans and remediation of affected systems. However, the company said it does not have cyber insurance in place to cover these losses.

Destruction-Ware

Dubbed NotPetya, the malware uses a modified EternalBlue exploit to target computers running Microsoft software, the same exploit used by WannaCry in May. Once inside a corporate network, the malware quickly spreads from computer to computer, encrypting files, another characteristic shared with WannaCry.

However, the malware is not WannaCry and is significantly different from known versions of the malware family Petya, according to cyber security firm Kaspersky Lab. In fact, the nature of the malware and the intensions of its developers have been the subject of much debate.

Cyber security commentators questioned whether NotPetya was ever intended as a serious ransomware attack. A number of researchers argue that the malware was designed to do damage, rather than make money, leading some to describe the attack as ‘destruction-ware’ rather than ransomware.

100% Secure?

Fully patching systems and keeping online backups are obvious steps to prevent or mitigate attacks like NotPetya and WannaCry. While good network segregation and separation of domain name user groups can help contain such attacks once they happen.

However, patching systems is not always as straightforward as it may seem. There are legitimate reasons why patches can’t be installed, or why systems continue to run unsupported software.

Attacks like NotPetya are another reminder that no company can be 100% safe, and that the focus on response is equally as important as defence. Organizations need to think in advance about how they can minimize business interruption following a cyber attack and how they can continue to serve their clients in the meantime.

Insurance Implications

Insurance protection against ransomware attacks, such as WannaCry and NotPetya, can be obtained in both the standalone cyber insurance and kidnap and ransom K&R insurance markets. However, the K&R market has seen a significant increase in claims from ransomware attacks in recent years and K&R insurers have increasingly realized that they may be heavily exposed to a systemic cyber loss resulting from business interruption.

As a result, K&R insurers are increasingly looking to limit their exposure to cyber and are typically applying sub-limits for cyber business interruption. Some K&R markets, however, will offer higher limits under a standalone cover or buyback. 

Robust Solution

One benefit of K&R insurance is that it offers cyber extortion cover from the ‘ground up’ – i.e. up to the full policy limit and without a deductible or retention. However, for higher limits, the standalone cyber insurance market is a better option.

Alternatively, careful blending of K&R cyber extortion cover with a standalone cyber policy can provide insureds with a robust insurance program, with ground up cover for ransom reimbursement, expert response consultant advice, cyber business interruption and additional expenses.

For further information, please contact Martin Delaney, Senior Vice President - Leader, Cyber and Risk Management Services at ClientFirst@jltcanada.com.