Ransomware , Risk Management , Technology

FedEx Warns NotPetya Will 'Negatively Affect' Profits

TNT Express Subsidiary is Still Restoring Crypto-Locked Systems
FedEx Warns NotPetya Will 'Negatively Affect' Profits

Package-delivery giant FedEx is warning that the global outbreak of NotPetya malware will "materially impact" its profits.

See Also: Ransomware: The Look at Future Trends

FedEx, headquartered in Memphis, Tennessee, says that its TNT Express international courier delivery service subsidiary continues to experience "widespread service delays," tied, in part, to employees having to use manual processes in the wake of the June 27 malware outbreak.

TNT Express, which has operations in 61 countries and delivers to over 200 countries, was acquired by FedEx in May 2016 for $4.8 billion.

"Our 2018 results will be negatively affected by our TNT Express integration and restructuring activities, as well as the impact of the TNT Express cyberattack," FedEx warned Monday in a form 10-K annual report filing with the U.S. Securities and Exchange Commission.

The outbreak of NotPetya - aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya, Diskcoder.C - followed just six week after the outbreak of WannaCry malware. Both targeted flaws in Microsoft Windows that the software giant has since patched (see Ransomware Smackdown: NotPetya Not as Bad as WannaCry).

Security firms said Ukrainian tax software was the initial infection vector for NotPetya, but they note that the malware quickly spread to subsidiaries and business partners, in part, via VPN connections between organizations.

More than 12,000 organizations across at least 65 countries were affected by the NotPetya outbreak, security experts say. Beyond TNT Express, other high-profile victims included Danish shipping giant Maersk, multinational law firm DLA Piper, British advertising firm WPP, Russian oil producer Rosneft, hospitals in the Heritage Valley Health System in Pennsylvania and U.S.-based pharmaceutical giant Merck.

Triage Continuing

FedEx first warned on June 28 that TNT Express had been affected by NotPetya.

"Immediately following the attack, contingency plans were implemented to recover TNT Express operations and communications systems," according to FedEx's SEC filing.

But by Monday, "all TNT Express depots, hubs and facilities are operational and most TNT services are available," it says. "Nevertheless, customers are still experiencing widespread service delays, including invoicing, and manual processes are being used to facilitate a significant portion of TNT Express operations and customer service functions. We cannot estimate when TNT Express services will be fully restored."

NotPetya Crypto-Locked TNT Systems

Debate continues to rage over whether NotPetya was inexpertly coded - it's impossible for victims to get a working decryption key, even if they decided to pay the ransom - or whether attackers disguised the malware to look like ransomware (see Latest Ransomware Wave Never Intended to Make Money).

Alert greeting all visitors to the TNT Express website on July 18.

And the disruptions at TNT Express are due, in part, to IT personnel still attempting to restore numerous systems that were crypto-locked and left unusable by the malware.

"Currently, we are focused on restoring remaining operational systems as well as finance, back-office and secondary business systems," FedEx says. As a result, it's warning that beyond the cost of the cleanup and recovery operations, "the cyberattack may materially impact our disclosure controls and procedures and internal control over financial reporting in future periods."

Customers have been tracking delays. On Twitter, for example, user @pieceofone reported July 10 that a package being shipped from China to Portugal on June 24 had been marked as being "in transit" for more than 17 days.

The Twitter user couldn't be immediately reached for comment. But the TNT website tracking feature reported that the package was eventually delivered, on July 12.

Global Impact

FedEx isn't the only firm to report that it's faced long-term delays and disruptions due to NotPetya cleanup. Many organizations and government agencies in Ukraine, for example, were hit hard, although the government has yet to release a precise count of victims or related cleanup costs.

Maersk has also struggled to get all of its systems back online, but it has continued to issue detailed updates to customers on a near-daily basis. Following the outbreak, some ports operated by the shipping giant, for example, were unable to take in new shipments for a week.

But by Tuesday, the company reported that most systems have been restored and that it also expected its Android app to once again be able to support a container-tracking feature. "We anticipate the iOS version to be up and running by end of this week," it said. "Thank you for your patience, trust and support."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network