As everyone will have seen, the last few days have brought news of yet another “ransomware” attack, this time from a piece of malware known most often as Petya. One unit of the (huge) container shipping company Maersk is known to have been affected, as is a branch of the French bank BNP Paribas, but I bring this up here because another company affected is Merck.
There were a number of reports on the first day of this situation about Merck employees coming to work to find locked computer screens, etc., and it appears that the company basically told people to just go home. As well they might – I go back just far enough to remember the director of chemistry in my first job (fall 1989) being mistrustful of the idea of every chemist in the department having a computer at their desk, but buddy, you just try to work without one now.
Ransomware is very bad news. It takes advantage of the fact that (for a long time now) encryption has been a lot easier than decryption. There are zillions of ways to turn a message into what looks like a pile of random digits, but only one key that will restore order. Back during World War II, British and American codebreaking efforts had some famous successes against the German and Japanese military and diplomatic codes, but the days of successful direct mathematical attacks are basically gone. They were already on their way out during the war itself. Many of the most valuable “breaks” against these codes occurred due to user errors and sloppy technique, and stealing a code book (or the equivalent) was still worth spending a great deal of time and effort in preference to trying a brute-force decrypt. Although there was an incident when an OSS team broke into the Japanese embassy in Lisbon in search of just such material, not realizing that the US Navy was already reading the Japanese “Purple” diplomatic cipher. Everyone in on the secret was terrified and furious that the OSS operation might cause Tokyo to switch its codebooks, which would have been a terrible blow. Not only did the US learn a great deal about Japanese plans by that route, but the Japanese ambassador to Berlin, Hiroshi Oshima, was the single most valuable source of info on the thoughts and plans of the Nazi hierarchy, via his long, extraordinarily detailed cables back to Tokyo. He died in 1975, never knowing that he had been the greatest unwitting spy of the war.
So much for the old days. Petya, unfortunately, seems to be using a perfectly good encryption algorithm, which these days means that you’re not going to decrypt anything. But it gets worse. Last night, two security firms announced that an analysis of the malware has convinced them that this isn’t a ransomware attack per se, because it appears that not even the people who are supposedly asking to be paid off will be able to furnish a decrypt key. Instead of generating some unique key based on the information it’s hiding, the software just trashes hard drive sectors and stores a random number. It’s designed to destroy data, not hold it hostage. The address that you’re supposed to use to pay off the malware writers doesn’t even work any more. This brings up a lot of very fraught questions about just who would have turned this software loose and why, but if anyone has any solid ideas about that, they’re not talking yet.
Ransomware is very bad news, but a deliberate wiper is the worst news possible. I am no expert myself, but it would appear that the hard drives that have gotten the full dose of this version of Petya are now full of information that may well be irretrievable. I very much hope I’m wrong about that, because, well, let’s get back to Merck. How bad is the situation there? The company’s most recent update was Wednesday morning, and it just said that they had indeed been hit, and that they believe that they’ve contained the problem and are working on recovery plans. Fair enough, but the earlier reports from actual Merck employees were quite alarming, and you’d have to think, given the recent news, that the company will have to figure out how much information is now lost. There is also, one assumes, a lot of very heated discussion about why the company’s Windows systems were not (yet) patched against this vulnerability.
The scope of the malware infection, the state of their backup infrastructure, the data at risk – all of these are known only to Merck, and perhaps not yet even to them. There’s a lot of really, really valuable information sitting on the internal servers of a drug company, much of it irreplaceable. How much of Merck’s is gone?
Update 1: Arsalan Arif at Endpoints says that they’ve been unable to get any comment from Merck today.
Update 2: I’ve heard from Merck themselves, with their latest release on this. They say that they “see no indication that the company’s data have been compromised”, which is very good news, and that “Government authorities working with us have confirmed that the malware responsible for the attack contained a unique combination of characteristics that enabled it to infect company systems despite installation of recent software patches.” That part is not such good news, and should be worrisome for IT departments everywhere until it becomes more clear just what systems were infected and what patches had been installed. It may even be worrisome after that.