Skip to main content

Business and Markets

Merck and Its Ransomware Problems in Court

Well, this story is not specifically about the drug industry, although anything that shuts Merck down for two weeks, costs them around a billion dollars, and disrupts the US drug supply chain certainly has some relevance to it (!) I’m talking about the 2017 NotPetya ransomware attack. Merck was one of the high-profile corporate victims (along with FedEx and the shipping company Maersk, just for starters), but none of these are believed to have been its actual targets.

NotPetya was actually Russian malware aimed at the Ukrainian government and economy (that link will take you through the details, which are numerous and often quite surprising). The broader Merck infrastructure was contaminated through a server in their Ukraine office, and you can trace the other worldwide problems back similarly. It should be noted that although the software was certainly aimed at Ukraine, it was also built to spread rapidly and indiscriminately. We can assume that the non-Ukrainian damage caused by NotPetya was of no concern whatsoever to its authors and indeed was probably just another feature.

This is the main example (that I’m aware of, anyway) of state-sponsored ransomware; most of that stuff that’s floating around seems to be the work of criminals just trying to turn a buck. If that’s not a software category you’re familiar with then prepare to be appalled. A machine infected with such a program will display only a single message on its screen: an announcement that your hard drive has been encrypted, and that there is no way for you to undo it other than sending some untraceable payment (such as Bitcoin) to a specific destination, whereupon the decryption key will be provided. Sometimes there is a time limit placed on your decision – unless you pay up before the deadline, your screen informs you, you will never be able to retrieve any of your files at all.

As that article describes, tens of thousands of laptops, desktops, and servers across the Merck organization were displaying just such a message in attention-getting pink-on-black lettering on the morning of June 27, 2017. If that sounds like an absolute IT nightmare, then you have evaluated the situation correctly. Large parts of their business came to an immediate halt. The company was unable, for example, to meet production of the Gardasil vaccine, and had to request supplies from the US government’s stockpile – totally depleting it, in fact, although over the next year the company was able to replenish. Damage estimates from the company, as mentioned, are around a billion dollars, and they have turned to their insurance providers. Who are refusing to pay.

That’s because the insurance companies are claiming that this was an act of war, an attack of a country upon another country, and their policies clearly state that such damages are not covered. Merck is responding that they were not at war with anyone, and that Rahway, NJ is a long way from the front lines of any battles anywhere. As you can well believe, this dispute is now in the courts, and is being watched with great interest by the insurance industry and cybersecurity firms. The situation is not made clearer by the fact that most of these insurance policies do not explicitly address such cyberattacks at all, so it comes down to arguing about language that wasn’t designed to deal with the situation at hand.

(Edit: I’ve revised this paragraph and others since the post went up, with more details about the NotPetya software). Ransomware is a very messy business, and there are numerous instances of companies, individuals, and even government offices paying up because they see no alternative, and the cost of the downtime exceeds the ransom demand itself. The FBI’s stance has always been “Don’t pay”, but they’ve recently revised that advice to “If you do pay, please tell us about the incident anyway”. Their well-justified fear is that they’re not even hearing about many such incidents because people pay up quietly. And as it turns out, hiring some of the security firms that promise to deal with such attacks can mean that you’re paying up anyway, whether you realize it or not. Many of these places secretly pay off the hackers or have paid them off in the past and obtained some decryption keys that way, despite any talk of using their latest proprietary technology to recover your files.

Now, when you’re dealing with the run-of-the-mill ransomware operators, there are sometimes flaws in their software that can be exploited, and as it happens there’s a guy in Illinois who is leading an effort to deal with these (a very interesting story and well worth a read). But that’s surely not the case with the Russian state-backed software. In fact, the ransom demand that NotPetya made was bogus: the computers it infected were, as far as I can see, irreversibly encrypted. There’s no insight into what happened when people did try to pay up, but it seems certain that none of these payments accomplished anything. The software was designed to be purely destructive.

Merck will be arguing its case for some time, and one can expect an appeal no matter what happens. The drug industry has inadvertently found itself at the forefront of cybercrime litigation, but who knows what the landscape will look like by the time this particular point has finally been decided?

43 comments on “Merck and Its Ransomware Problems in Court”

  1. Nick K says:

    Funny how the old paper-based systems never had this problem.

    1. Hap says:

      True, but the data also wasn’t really as available and getting at it was much slower. Nothing comes for free.

      Lots of redundant backups and airgaps (as below) are probably the only way to deal with this without going back to paper (though voting seems to have a solution involving both paper and computers, I’m not sure if pharma even can print sufficient data in archival form to sustain manufacture – and if they can print it, if they can parse and access it in finite time.) Maybe they could use a printed two-dimensional version of crucial data, like how Red Cross prints out its Fast-Pass (personal questions to blood donors), but then it’d have to be secured by Fort Knox to keep it from getting stolen or organized in a code that can’t be broken, which would require completely isolated computers.

      1. Charles H. says:

        What’s needed is a Write Once Memory, so that you can have a hot backup, but still recover everything before a certain time.

        Unfortunately, the only think I’ve heard of even vaguely like this are the multi-session CDs that used to be common. And that wasn’t really much like it. I think there was a small limit on the number of sessions.

        1. Barry says:

          “Write One Memory” is a solved problem. It’s a lab notebook in ink, it’s punch-card, it’s streaming paper tape, it’s (1st gen ) optical disk

        2. Mike D. says:

          There used to be a product named exactly that: WORM drives (write once, read many), which were mostly supplanted by CD-R drives and similar.

          Thing is, there’s a much better solution: a proper offline backup system, such as a tape backup server (contrasting to “Time Machine” and Windows Backup setups, where the backup drive is constantly and directly connected, which ransomware has learned to encrypt as well). If your backups are good, you’re out a day or week (or at worst, month) of recent data, a much better starting point for recovery and restoration of service.

    2. anon says:

      Ok, dinosaur.

    3. Jake says:

      Tell it to the National Museum of Brazil.

    4. Vader says:

      Funny how my old Chevy Sprint never gave me bad GPS directions.

    5. tim Rowledge says:

      Oh? Nice paper records department you have there… pity if anyone should drop a lit cigarette…

  2. Berkley says:

    I’m increasingly convinced that the most critical aspects of IT infrastructure should be air-gapped. Large corporations and institutions like Merck should also have a separate IT infrastructure as redundant, hacking protected versions/backups of the most critical processes.

    1. Isidore says:

      It is interesting that the (presumed) US-Israeli Stuxnet worm that cause disruption to the Iranian uranium enrichment program ca. 2005-20010 was designed to infect only the PLCs (programmable logic controllers) of the UF6 centrifuges by targeting PLCs made by a couple of Iranian companies and Siemens and not every single computer or PLC it encountered. And this in spite of the presumed “air gap” of the IT infrastructure of the uranium enrichment facilities, presumably as rigid or even more so than any drug manufacturer’s. The problem is that any network has to communicate sooner or later with the outside world, for installing new hardware, or for software updates, or whatever, and this will always provide a conduit for malicious software to enter.

      1. Vader says:

        The U.S. and Israel had to be concerned about collateral damage.

        Russia doesn’t care who unknowingly gets between them and their target.

        1. Isidore says:

          Given the proximality, geographical and virtual, between Ukraine and Russia collateral damage must have been a concern. Maybe Kaspersky somehow got the ransomware signatures ahead of time 😉

          1. UkrainianChemist says:

            Some of Russian companies were infected as well. They were considered just casualties of cyberwarfare. It wasn`t ransomware after all but an attack on IT infrastructure. Obama few month later warned russians that if they will try it with US, US will do something similar in response

        2. Come on! says:

          The US is helping Saudi starve Yemen out, supported jihadists in Syria, uses depleted uranium rounds in warfare, and has put numerous countries (Venezuela, Iraq, Iran, etc.) through brutal sanctions. But yeah, they definitely are really concerned about collateral damage.

        3. anon says:

          The EternalBlue exploit that NotPetya used was (allegedly) originally developed by NSA and kept secret from Microsoft for many years.

  3. Luysii says:

    This is one reason why I recommended reading “Sandworm” by Andy Greenberga while ago. It has a lot more detail about NotPetya and other attacks perpetrated on business and infrastructure by malware. If you use a computer or a network in your work, it should be read and thought about. Warning: it won’t be a fun read, even though well written.

  4. Vader says:

    From a strictly legal standpoint, Merck’s insurers have a point. This was an act of war against the Ukraine, in which Russia is not particularly scrupulous about collateral damage.

    1. Isidore says:

      What acts constitute a war? Can it be proven that those who unleashed the ransomware were acting at the direction and on behalf of some government entity? I guess that’s why we have lawyers.

      1. loupgarous says:

        Excellent point. I don’t know the answer to “Is our computing infrastructure also our national territory? Is attacking it an act of war requiring a proportionate response?” (under the Law of Armed Conflict, which the US has incorporated into its Uniform Code of Military Justice, it doesn’t seem we can punish cyberwarfare with physical force – that would violate the principle of proportionality).

        The United States military has been used before in the Persian Gulf to protect US and allied shipping from attack from Iran, without an formal declaration of war. Does a corollary exist for, say, the 16th Air Force to initiate punitive operations against the computer systems of nations which have attacked our nation’s computer systems? Would such operations ever be acknowledged?

      2. loupgarous says:

        In 2016 US Senator Mike Rounds introduced a bill called the “Cyber Act of War Act” to require the President to “develop a policy for determining when an action carried out in cyberspace constitutes an act of war against the United States.”

        The Council for Foreign Relations stated an obvious criticism of Rounds’ bill – it doesn’t require the country to do anything it can’t do now. Sen. Rounds makes a case for the proposed bill in an op-ed article in the”Wall Street Journal. I don’t think either the CFR or Sen. Rounds mentioned the impact (if any) his law would have on outstanding or disputed insurance claims arising from state-sponsored cyberattacks.

        1. Earl Boebert says:

          Useful background reading can be found here:

          The technical material is somewhat out of date (the attribution problem has gotten worse) but the legal and policy discussions are still worthwhile.

  5. Mike says:

    “and had to request supplies from the US government’s stockpile”

    This caught my eye. The government has a Gardasil stockpile? Why?

    I know they stockpile Tamiflu in case there is a flu epidemic, but why stockpile Gardasil? In case there is an HPV epidemic?

    1. loupgarous says:

      Good question. Let’s say there’s a mutant strain of HPV which spreads more avidly than current ones. Would Gardasil protect against it? And would immunization against it be a thing the US Federal government be legally bound or even authorized to make happen? There’s already more than the baseline amount of resistance to immunizing kids against HPV with Gardasil.

    2. tlp says:

      Not attempting to answer ‘why’ question, here’s the excerpt from wikipedia

      The actual supply of drugs and supplies that make up the SNS [strategic national stockpile] are located in a secret location outside of Washington, D.C., in a building the size of two Super Walmarts that appears to look like an ordinary commercial warehouse. Inside the warehouse, supplies are stacked on shelves that measure five stories high.

    3. Morgrim says:

      Pure speculation here, but we know some anti-vaxxers are extreme enough to call for violence against compulsory vaccination plans (see Samoa and measles right now). As far as I’m aware that’s all rhetoric or indirect damage but so was the early days of the anti-abortion extremists and they escalated to murder. Having a stock of proven ‘clean’ vaccines means you can respond instantly if extremists have a go at sabotaging or contaminating vaccine stocks.

      On a less conspiracy theory note, during pandemics almost all vaccine manufacturers will switch their facilities over to making the new vaccine; if you have a backup stock then you can keep up business as usual for all other diseases during that period. Or, in this case, business as usual because your enemies shut down the manufacturing plant.

  6. Who knew? says:

    So….from what I heard….Merck is claiming that some 400 lb guy in his basement in NJ was responsible (ex-employee) and the insurance companies are claiming that it was Russia and an act of war, like you said, and the Republicans are claiming that it was actually Ukraine who unleashed it on themselves so that we would blame Russia and the Democrats are blaming Rudy Giuliani because he accidentally bricked his cellphone when he forwarded the virus and had to go to an Apple store to remove the malware but they then referred him to two guys from Florida with ties to Ukraine who were then arrested.

  7. Anonymous says:

    Not a solution, but a common refrain: “If Software Companies were subject to the same requirements as Drug Companies.” or “If Car Manufacturers were subject to the same requirements as Drug Companies.” and so on.

    A lot of technology is released for general (or almost universal) consumption without the sort of mandatory testing that new drug candidates are subjected to by the FDA and other agencies.

    It isn’t only operating systems but also application software that often has exploitable security holes. With the Internet of Things, autonomous vehicles, etc., there is real concern that a 400 lb person in their parents’ basement (or maybe Russian or Chinese hackers) can hijack you and your car, your “smart” household, or who knows what?

  8. Zeeshan bendelstein says:

    You’d almost rather the insurance company does not pay out. Provides much moral hazard to license companies to not enforce mandatory backups of files and investments in basic cybersecurity.

    1. matt says:

      Do you think Merck did not have backups? Of course they did, because they never recovered any of the destroyed data.

      Essentially, this is a denial of service attack for a well-prepared IT. How long do you think it would take to restore from backup every single PC and server in the company? How many computers and locations does the company have per IT staff person? How much does it cost, 69000 people able to do nothing x (how long to restore)? If the auto industry average is $22k / minute that an assembly line is shut down, how much for Merck for all its assembly lines put together, plus a whole lot of other people who make much more than assembly line workers?

      (If you are saying, “not long at all to restore, I have my handy backup already attached right here,” then wash your mouth. That backup is likely also encrypted and worthless for that purpose, because it was also available to the attackers. I’m not sure how clever NotPetya was about attached backup systems, but ransomware attacks often involve hackers in the network scouting for things like backups before they throw the switch on encryption.)

      If you think “basic” cybersecurity is all it takes, you have had your head in the sand too long.

      Here’s a troubling thought: all that control over the Internet in their countries that Russia and China are exerting? They may realize that “border control” for Internet packets is as necessary for cyberwar as secure borders are to protect against physical espionage. And yes, that control is dual-use, and also used to strike at the very freedoms and openness the Internet enabled. And yes, the US may also have to figure out how to protect itself from actors who will be protected from any legal response by their nation/sponsors.

      This is why we can’t have nice things.

      1. Don Edwards says:

        “If you think “basic” cybersecurity is all it takes, you have had your head in the sand too long. ”

        That depends on what you consider ‘basic’ cybersecurity.

        The stuff on my computer that is not easily replaceable is file-synced to my phone and tablet – which run on a different OS. It’s backed up (with versioning) to an external hard drive. And the most critical part is also backed up (with versioning) to two USB memory sticks that are deliberately configured so the computer will think they are the same memory stick – one of them is plugged in and the other one is in my car, and they swap places once a week.

        There’s another memory stick close at hand that I can use to reinstall the OS, which will get me online so I can download everything that I don’t have install software for laying around.

        I consider that to be just part of basic cyber security for a fiction writer. (There’s also the antivirus software, spam blockers, script blockers…)

        1. matt says:

          Don, that’s very reasonable, but you are just talking about backups, and you are talking about a solo computer. Merck certainly had backups for most of their data, and they were dealing with a much more complex network. Also, as a solo computer user, you aren’t a valuable target, like a business with lots of customer credit card data, or billion dollar plus businesses, etc. So you don’t have to worry about the real professionals like Fancy Bear or Sandworm, just collateral damage from things like NotPetya, script-kiddies, and automated botnet attacks. And your exposure to those is much less than a 69,000 employee multicampus, multinational corporation.

          You mention you have media for reinstalling the OS, and then you can re-download and re-install the applications you don’t have on hand. This is reasonable for a personal computer, but you will dedicate at least an entire day to that process. More, if your OS backup hasn’t been refreshed to include the latest service pack or major update.

          Now, think about repeating your process for 100 computers. That would take a month or more, during which time employees will essentially be sitting around, unable to contribute to future income. That’s just desktops, and you can’t even imagine the trouble of restoring domain controllers, the network storage, company servers, etc, which will be early priorities for IT because the desktops won’t work without them (the domain controllers and networked storage, at least). I don’t know how many IT employees Merck has, in relation to the rest of their employees, but I do know IT will be considered a cost to the company, and every manager knows to minimize costs, so the more competent the IT department is, the smaller it will be in relation to the rest of the company.

          The problem isn’t the lack of preparation, at least in the normal sense. It simply isn’t possible to have 100% compliance with regard to patching*, and the password-stealing part of the exploit was to my knowledge unpatched. The problem is that an IT department is not sized to have to fix every desktop and server in their organization at once after something like this. Going forward, it sounds like this will have to be added to the emergency training repertoire, like active shooter drills and site disaster planning scenarios, etc. How to reload your entire IT infrastructure in the minimum time.

          *(95-year-old Dr. Emeritus just walked in with his 10-year-old laptop for the first time in months, and you didn’t know he still came in–or was still living–he still had a company computer, and his computer still somehow could find a way to connect to some legacy server you left running because some old equipment needed it.)

          If you haven’t worked in such a networked situation, where everything depends on the domain controllers, but files depend on this server, and scripts are running from this server, and everybody will be querying this server for DNS records, and that server for mail, and that server for networked time, just getting the right boot order can be quite tricky. You never usually have all your servers off at the same time (some non-Windows-based servers can be up for years, until a kernel patch has to be loaded), and so sometimes you find out you’ve introduced a dependency loop you didn’t know about because some part of it had always been available before. If you’ve worked through emergencies before, you will recognize that these things, and many others, some just stress-related, appear out of nowhere in those situations. And the CEO, chain-popping Tums and thinking about how many thousands or millions the company is losing this instant, is watching over your shoulder and encouraging you to get this done, alternated with thinking about firing all of IT and getting that group at Deloitte to handle the whole thing. 🙂

          1. ab says:

            @Matt 5:16 pm I just have to say, this is a G-D amazing post. Thank you for putting this together. That is all, carry on.

  9. Earl Boebert says:

    When we wrote the Computers at Risk report in 1991 [] we noted that there was little or no financial case for businesses investing in security practices and functionality. If anything, the situation is worse today. The message from the financial community (and their handmaidens, the business schools and management consultants) is implicit but very clear: optimize financial efficiency, roll the dice on any potential catastrophe, and hope that you have pulled the ripcord on your golden parachute before the wings come off the airplane. But please to call it “risk management.”

    Also, as far as the Russians are concerned, having Merck get nailed through their Ukrainian facility is not a bug, it is a feature. The incident serves to inhibit major corporations from doing business in the Ukraine.

    1. Gold Silver says:

      “Optimize financial efficiency, roll the dice on any potential catastrophe, and hope that you have pulled the ripcord on your golden parachute before the wings come off the airplane. But please to call it “risk management.”

      That risk management strategy seems broadly dispersed in our short-term minded industry nowadays. But it works for a few that get rich, so it’s ok. Do the right thing at your own peril!

  10. Jon says:

    NotPetya was very very good at trashing attached backups. Maersk (the shipping company) got exceedingly lucky when they found a very important file backed up on a server in Ghana, of all places, that happened to have been off the net for different reasons when the attack hit.

    As far as insurance is concerned? Well, if it’s a world-wide war, and we don’t have to pay out for acts of war, why should we pay out anything at all? Have a nice day!! Sorry about your premiums…


  11. Jonathan Starr says:

    There is no such thing as an “air gap”
    There is no such thing as an “air gap”
    There is no such thing as an “air gap”
    There is no such thing as an “air gap”
    There is no such thing as an “air gap”

    Now normally I’d spew some FUD about how we are all doomed but rather then that let’s just consider what would happen if someone cracked AWS… Awww crap I did that thing I didn’t want to do /sigh

    Computers can’t live with them, can’t kill them.

  12. michael888 says:

    EternalBlue was a weapon of the NSA aimed at “terrorists” and unfriendly nations. They used it for five years before it was “stolen”. Talented hackers everywhere can use these cyberwar weapons created by US taxpayer money; their provenance is impossible to establish. 17% of Ukrainians are ethnic Russians; lots of bad stuff happens in civil wars.

  13. Francini says:

    And of course the fact that most companies’ internal computer deployments are a monoculture—Windows everywhere—it’s no surprise that you get the IT equivalent of the Irish potato famine when one virulent bug spreads through an entire company. OS diversity is a good thing here.

    1. loupgarous says:

      Microsoft, whether they realize it or not, are effective advocates for OS diversity.

      People and firms that use Windows have two issues:
      – their systems are targets of terribly sophisticated state-sponsored malware developers
      – Users buy a license to use Windows, and waive their right to continue using it if Microsoft decides they must get larger computers to accommodate bloated, inelegant OSes.

      Laziness has kept me using Windows so far. The computer of mine which runs Windows 7 suits me. If Microsoft wants me to buy a new computer to keep using Windows, well, Linux developers make no such demands.

    2. Scott says:

      Gets rather complicated for the IT department to run multiple OSes, though.

      I worked support for the US Navy’s computer network, and it took probably 3 years before the newest version of any OS or even basic program (like Office) got approved for general distribution to the network. Though that’s what happens when you have actual professional paranoiacs (better known as IT security professionals) running the ‘we need new software’ desk.

  14. eugene says:

    My enjoyment of this blog significantly went down after Derek started his one sided anti-Russian shilling and became a believer the in the Trump-Russia conspiracy as evident from his twitter.

    I see the virus as a patriotic piece of software written by people in the Donbass. There are plenty of us in the Ukraine who don’t want any war against Russia and despise the US for their support of the coup in 2014 and the resulting shit that happened after. Shelling of Donetsk and Lugansk (the vast majority of civilians killed are by Kiev in the Donbass), fascists controlling the street, killing journalists and the state unable to prosecute them, renaming streets in honor of Nazi SS veterans, torture prisons in Mariupol, six million people who left to Russia and the EU in the last five years, etc… Thank you America for more weapons for the fascists and blaming every dubious cyber attack and bad election result on Russia however! You are real friends.

    Maybe in the future when New England separates, we can send weapons to the other side so that they can shell Boston. I won’t cry for any civilians killed on your side after what you did for us.

  15. eugene says:

    Oh right, almost forgot a last message for Derek…

    Happy New Year!

    (after all, I’m still probably going to be reading this blog like for the last 13 years; no need to burn bridges… just a little singe will do)

Comments are closed.