NotPetya was massive shift in malware tactics as what was initially believed to be another global ransomware attack on par with WannaCry was instead a wiper in disguise.
It claimed thousands of victims worldwide, including some of the highest profile manufacturers, critical infrastructure providers and financial services organizations.
Merck, among the world’s largest pharmaceutical companies, said in its quarterly earnings report last week that it has still not fully recovered from the June 27 attack.
The company said the disruption caused by NotPetya affected manufacturing, research and sales operations worldwide, and that it continues to affect “certain operations.”
Manufacturing operations, for example, are still not at full capability, Merck said in its report. Packaging operations are up and running, but formulation has been only partially restored.
The biggest hit may have been to Merck’s Active Pharmaceutical Ingredient operations; these are the biological ingredients, or active substances, vital to pharmaceutical drugs.
“The company is in the process of restoring its Active Pharmaceutical Ingredient operations but is not yet producing bulk product. The company’s external manufacturing was not impacted,” Merck said. “Throughout this time, Merck has continued to fulfill orders and ship product.”
Merck manufactures the cancer medication Keytruda, anti-diabetes medication Januvia and hepatitis-C drug Zepatier among others; all three the company said it is confident of providing a continuous supply. It did caution about possible temporary delays in fulfilling some orders for other products in certain markets.
“While the company does not yet know the magnitude of the impact of the disruption, which remains ongoing in certain operations, it continues to work to minimize the effects,” Merck said.
The giant pharmaceutical is among the first to publicly disclose the impacts of NotPetya on operations and financial performance.
NotPetya victims were largely concentrated in the Ukraine, along with Russia. The initial infection vector is believed to be the update mechanism for Ukrainian financial software provider MeDoc, but other points of entry emerged in the early hours of the infection, including a watering hole attack using the government website for the Ukrainian city of Bakhmut. Microsoft said it had a definitive link between MeDoc and NotPetya distribution, something the software provider’s executives denied.
NotPetya had a lot of earmarks of WannaCry, which hit organizations worldwide a month earlier, riding on the coattails of the leaked EternalBlue NSA exploit.
But it was quickly apparent that this was no ransomware attack. Code within the malware made it impossible to recover encrypted files, and the payment setup was also flawed. Instead, it was quickly determined NotPetya’s wiper capabilities were the true mission behind the malware, which was much more complex and capable than WannaCry.
Microsoft’s analysis of the attack points out that NotPetya drops a credential-stealing tool on vulnerable computers that seeks out valid domain credentials, and then begins scanning subnets looking for open port 445 connections. Upon finding one, it tries to execute the wiper malware using native Windows tools PSEXEC or WMIC.
The attack did have financial impact on Merck, as it was forced to adjust its outlook for the rest of the year because of the disruptions caused by NotPetya. The Financial Times reported last week that Merck chief financial officer Robert Davis lamented the pharmaceutical giant’s forecast—which did increase—would have been higher if not for the attack.