That’s what 2,000 companies in 64 countries learned in June
of 2017. They were not the targets, but they did lose billions of dollars of
data, hardware, software, and business. Those companies are still tracking
losses into 2018.
But they weren’t targeted.
They were the unfortunate “side effect” of the “NotPetya”
malware. Many officials and cybersecurity experts believe NotPetya was
designed by Russia to attack computers in Ukraine, but it wound up destroying
thousands of desktops, laptops, servers, and other equipment—in Ukraine, yes,
but also all around the world at corporations like Fed Ex, Maersk, Merck, and
That’s not hyperbole. That’s the only purpose of a cyber-munition:
If your main concern is protecting against hackers who are specifically
targeting your organization, you need to change the way you’re thinking about cybersecurity.
Company: Sharing to Help You Prepare
A leading software provider was one of the organizations hit
by NotPetya. The company has been sharing its story in hopes of helping other
organizations avoid the type of losses it and others suffered in 2017.
Fallout for One Company, By the Numbers
- $80 to $100
million in damage in 2017
- $20 million expected
- 12,000 to
15,000 devices disabled in ~10
- 6 to 8
weeks to get back to 100% operation
- 0 data
Though this attack was widely publicized, it’s still news to
many people that some cyberattacks are designed with the sole purpose of
That was the case when ransom screens started popping up around
the world at the end of June 2017. But the ransomware screen was a ruse, a wild
goose chase that cost IT teams valuable time while the virus was multiplying,
traveling, finding ways to circumvent blocked paths, and irretrievably
overwriting and destroying everything.
No data was stolen.
That was the good news. Very good news. No customer, or
business data was extracted in the attack.
Because that wasn’t what the malware was built to do.
The bad news is that what the malware was built to do is also
very, very disruptive and expensive.
The worse news is that all it takes is one infected computer
on a network.
“That’s why I talk about the violence
of a cyberattack that most people don’t understand, even some people who are in
IT security,” says Sensato CEO John Gomez. “Most people think, ‘they’re going
to steal my data.’ We’re in a world now where there are cyber munitions, and
this is an example of somebody launching a cyber munition where it just
completely destroyed everything it could access.”
Read about the known and potential threats to
healthcare information and medical device security.
it was Your Healthcare Org’s Network
Now, ask yourself: what if that malware infected one of the
computers on your network, and, as it was designed to do, then infected and
destroyed everything else that it could find and attack? Every computer. Every
laptop. Every tablet. Every pacemaker. Every insulin pump. Every patient
monitoring unit. Every single device that connects with your network.
You don’t have to guess what such an attack might cost your
organization in down time, equipment replacement, and customer reparations. That
leading software provider can tell you. So can FedEx and all the others.
But let’s get into just a few of the gory details, with the
help of the software company, so you can understand the true impact of a type
of cyberattack that you might never have expected to hit your organization.
The malware attacked active directories, shutting
administrators out of the system, taking down corporate email, the intranet,
application servers, and other internal systems. Almost every Windows device on
the network, throughout many of Company X’s was impacted.
Designed to Destroy
“We believe that NotPetya actually had
some AI (artificial intelligence) and machine learning built into it, because it
appeared to be learning on the fly. For example, if a transfer protocol was
blocked, it figured out other, faster protocols to transfer itself,” says a
spokesperson from the software provider.
“The one saving grace was that the virus put up a reboot command.
Once rebooted, it attacked the boot files, turning the device into a brick. On
our servers, it deleted what was accessible on the C drive, but it was waiting
for someone to reboot so that it could
delete the reboot sector and other drives. Since there was no human there to
press enter, it never reached the boot sector or our D drives, where our
customer data was stored,” he says.
Could You Replace Hundreds of Devices
Despite that silver lining, the
company had a procurement nightmare on its hands. The company had to find all
of the requisite hardware to rebuild 12,000 to 15,000 machines and completely
replace 700 to 1,000 laptops and hundreds of servers and networking equipment.
And it began its recovery over a
holiday weekend. “No one has hundreds and hundreds of backup supplies on hand,
but we were lucky in that our partners really felt our pain and they stood by
us,” says the spokesperson. “We needed servers overnight on a holiday weekend
and Dell ordered chip sets shipped from China for us and even opened some
factories to advance our orders.”
Even with the help of its partners,
though, procurement and rebuilding was an enormous struggle. “We worked around
the clock; didn’t spare any expense on consulting, hardware, software, whatever
it took to get our systems up and running,” says the spokesperson. “We had to
touch every machine, bring it up in a Linux mode, recover data from the D
drives, and then rebuild the machine from scratch. That’s what we had to do for
all 12,000 to 15,000 machines.”
Could You Maintain Optimal Patient Care?
In the meantime, the software company provided
alternative platforms, applications, and other solutions free of cost to all of
its customers that had been impacted by the attack, bringing them up to at
least a minimal product capability while full system capabilities were being
But remember, this company is not a
healthcare organization. There was no risk that the virus would interfere with
the operation of medical devices. The same can’t be said of most healthcare
organizations, whose wide array of connected devices are often outdated beyond
patches or updates.
“Imagine you’re a hospital and you get
hit by cyber munitions and you’ve lost confidence in your medical devices
because of the damage done by the attack,” says Gomez. “Now, you suddenly have
to replace thousands of devices. How do you do that? Do you even have a
contingency plan for that?”
As Gomez notes, “You could be in a
situation where you’ve got six months to a year before manufacturers can
replace every device. If this includes life support systems, for example, you’re
going to either have to transfer patients to other hospitals, or you may get
other hospitals to lend you equipment for a short period of time; but there’s
not usually pre-existing agreements in place for anything like that, so the
havoc it would cause would be devastating.”
Beyond the NotPetya Attack
The software provider and the others that
survived the NotPetya attack now have one advantage over other organizations:
they have a better idea of how to protect themselves. Of necessity, they have
already put new systems and practices into place.
“Our security wasn’t weak,” notes the software
company spokesperson. “What we had to do was redouble all of our postures
in terms of network, virtual, physical, and system protections. We enhanced
segregation, increased scanning and testing, added more backups, a second
anti-virus system. We have an agent on every machine that monitors and can shut
it down automatically if suspicious activity is detected, so that it can’t
spread the way the NotPetya malware did. And every machine that’s going to be
on our network has to pass a security audit.”
The cost of preparing and protecting
is often the stumbling block for IT security teams, even at healthcare
organizations that must meet HIPAA, HIMSS, and other regulatory requirements
for protecting patient data.
But Gomez points to the experience of the software company,
Fed Ex, and others, who lost so many billions in a “side effect” attack. “Ask
yourself what would happen if such a virus got into your systems,” he says.
“The cost of setting up proper cybersecurity is a fraction of what you could
lose in such a scenario.”
MD-COP will secure your data, devices, and
network from targeted and “side effect” attacks. Act quickly.