US-based and international courier delivery service FedEx admitted on Monday that some of its systems were significantly affected by the NotPetya ransomware, and some of the damage may be permanent.
FedEx was just one of the many businesses across the world hit by the NotPetya ransomware, a cyber-weapon designed to attack organizations in the Ukraine, but which spread to other countries via VPNs and internal networks.
According to FedEx, NotPetya affected its Ukrainian division and spread to other of the company's systems. Most affected computers were on the network of TNT Express B.V. (“TNT”), an international express transportation, small-package ground delivery and freight transportation company FedEx acquired in May 2016.
In its annual 10-K filing with the US SEC (Securities and Exchange Commission), FedEx says no data was stolen from its or TNT's network, but "TNT operations and communications were significantly affected."
FedEx says it restored IT systems and services right after the incident, but "customers are still experiencing widespread service and invoicing delays," nearly three weeks after NotPetya hit its network.
"We cannot yet estimate how long it will take to restore the systems that were impacted, and it is reasonably possible that TNT will be unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted by the virus," FedEx wrote in its 10-K filing.
This statement from FedEx confirms findings by various security experts who pointed out that NotPetya was poorly coded, making data recovery impossible because the ransomware misplaced one of its encryption keys. Furthermore, there are still theories floating around that NotPetya was designed as a cyber-sabotage tool disguised as a benign ransomware.
FedEx expects the attack to have a notable financial impact. According to its 10-K filing, FedEx anticipates NotPetya to incur the following costs and damages:
The US company said it did not have any form of cyber insurance. FedEx's 10-K SEC filing was published on the same day when Lloyd's of London, one of the world's leading insurers, estimated in a report that a well executed cyber attack could cause damages of up to $121.4 billion worldwide, urging companies to sign up for cyber insurance policies.
FedEx was one of the many international companies affected by the NotPetya attack. Others include food conglomerate Mondelez, law firm giant DLA Piper, marketing firm WPP, pharma giant Merck, construction materials manufacturer Saint-Gobain, oil giant Rosneft, and container transportation giant Maersk.