A.P. Moller-Maersk, the world’s largest container ship and supply vessel company, said Tuesday that it would incur hundreds of millions in U.S. dollar losses due to the NotPetya wiper malware attacks of late June.
In its second quarter earnings report, Maersk executives said they were expecting losses between $200 million and $300 million. The lost revenue, they said, was due to “significant business interruption” because the company was forced to temporarily shutter critical systems infected with the malware.
“The malware was contained to only impact the container related businesses of A.P. Moller – Maersk, and therefore six out of nine businesses, including all Energy businesses, could uphold normal operations,” the company said in its earnings report. “A.P. Moller – Maersk also remained in full control of all vessels throughout the situation, and all employees were safe.”
The company said its Maersk Line APM Terminals and Damco systems were shut down as a precaution given their connections to partners and suppliers. APM Terminals is a port and terminal operator, while Damco is a freight and supply chain partner.
“These system shutdowns resulted in significant business interruption during the shutdown period, with limited financial impact in Q2, while the impact in Q3 is larger, due to temporary lost revenue in July (see guidance for 2017),” the company said in its report.
Maersk was just one of hundreds of companies impacted around the world by NotPetya, also known as ExPetr. The wiper attack was disguised as ransomware, and like WannaCry before it, was spread via the leaked NSA EternalBlue exploit along with a few other distribution vectors, including a watering hole attack.
The origin of the attack has been traced to a compromise of Ukrainian financial software provider MeDoc. The company’s software update process was hacked and attackers dropped in the NotPetya malware. Once it was on victims’ machines, the malware spread internally using two Windows utilities—PSEXEC and WMIC—to do so.
Giant pharmaceutical company Merck also publicly disclosed how NotPetya slowed down its operations in its Aug. 1 earnings report.
The company said the disruption caused by NotPetya affected manufacturing, research and sales operations worldwide, and that it continued to affect “certain operations” at the time.
Manufacturing operations, for example, were not at full capability, Merck said in its report. Packaging operations were up and running, but formulation had been only partially restored.
The biggest hit may have been to Merck’s Active Pharmaceutical Ingredient operations; these are the biological ingredients, or active substances, vital to pharmaceutical drugs.
Maersk, meanwhile, described in some detail how the outbreak unfolded on its systems. The company said the attack was contained within 24 hours and that it began recovery operations working with IT and security partners to do so. By June 29, two days after the outbreak, Maersk was able to accept bookings from customers with existing accounts, the company said.
“A.P. Moller – Maersk gradually progressed to more normalized operations for Maersk Line, Damco and APM Terminals during the week of 3 July to 9 July,” the company said. “To reinstate services safely and without further disruption, A.P. Moller – Maersk began to systematically bring back users and applications in 500 locations.”
The company said that its expected overall profit to still exceed 2016 margins despite the impact of the cyberattack.
“This cyber-attack was a previously unseen type of malware, and updates and patches applied to both the Windows systems and antivirus were not an effective protection in this case,” the company said. “In response to this new type of malware, A.P. Moller – Maersk has put in place different and further protective measures and is continuing to review its systems to defend against attacks.”