FedEx van

US-based and international courier delivery service FedEx admitted on Monday that some of its systems were significantly affected by the NotPetya ransomware, and some of the damage may be permanent.

FedEx was just one of the many businesses across the world hit by the NotPetya ransomware, a cyber-weapon designed to attack organizations in the Ukraine, but which spread to other countries via VPNs and internal networks.

According to FedEx, NotPetya affected its Ukrainian division and spread to other of the company's systems. Most affected computers were on the network of TNT Express B.V. (“TNT”), an international express transportation, small-package ground delivery and freight transportation company FedEx acquired in May 2016.

NotPetya impact detailed in SEC 10-K filing

In its annual 10-K filing with the US SEC (Securities and Exchange Commission), FedEx says no data was stolen from its or TNT's network, but "TNT operations and communications were significantly affected."

FedEx says it restored IT systems and services right after the incident, but "customers are still experiencing widespread service and invoicing delays," nearly three weeks after NotPetya hit its network.

"We cannot yet estimate how long it will take to restore the systems that were impacted, and it is reasonably possible that TNT will be unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted by the virus," FedEx wrote in its 10-K filing.

This statement from FedEx confirms findings by various security experts who pointed out that NotPetya was poorly coded, making data recovery impossible because the ransomware misplaced one of its encryption keys. Furthermore, there are still theories floating around that NotPetya was designed as a cyber-sabotage tool disguised as a benign ransomware.

FedEx readies for big financial hit

FedEx expects the attack to have a notable financial impact. According to its 10-K filing, FedEx anticipates NotPetya to incur the following costs and damages:

⋄ loss of revenue resulting from the operational disruption immediately following the cyber-attack;
⋄ loss of revenue or increased bad debt expense due to the inability to invoice properly;
⋄ loss of revenue due to permanent customer loss;
⋄ remediation costs to restore systems;
⋄ increased operational costs due to contingency plans that remain in place;
⋄ investments in enhanced systems in order to prevent future attacks;
⋄ cost of incentives offered to customers to restore confidence and maintain business relationships;
⋄ reputational damage resulting in the failure to retain or attract customers;
⋄ costs associated with potential litigation or governmental investigations;
⋄ costs associated with any data breach or data loss to third parties that is discovered;
⋄ costs associated with the potential loss of critical business data;
⋄ longer and more costly integration (due to increased expenses and capital spending requirements) of TNT Express and FedEx Express; and
⋄ other consequences of which we are not currently aware but will discover through the remediation process.

The US company said it did not have any form of cyber insurance. FedEx's 10-K SEC filing was published on the same day when Lloyd's of London, one of the world's leading insurers, estimated in a report that a well executed cyber attack could cause damages of up to $121.4 billion worldwide, urging companies to sign up for cyber insurance policies.

FedEx was one of the many international companies affected by the NotPetya attack. Others include food conglomerate Mondelez, law firm giant DLA Piper, marketing firm WPP, pharma giant Merck, construction materials manufacturer Saint-Gobain, oil giant Rosneft, and container transportation giant Maersk.

Before NotPetya, FedEx was also affected by the WannaCry ransomware outbreak.