FedEx May Have Permanently Lost Data Encrypted by NotPetya

FedEx-owned international delivery services company TNT Express is still working on restoring systems hit last month by the destructive NotPetya malware attack, but some business data may never be recovered, FedEx said in a Securities and Exchange Commission (SEC) filing this week.

NotPetya (also known as Nyetya, PetrWrap, exPetr, GoldenEye, and Diskcoder.C) infected tens of thousands of systems, including ones belonging to major organizations, in more than 65 countries. Many of the victims were located in Ukraine, which is not surprising considering that the main attack vector was the update system of M.E. Doc, an accounting tool developed by Kiev-based tax software firm Intellect Service.

The infosec community initially believed NotPetya was a piece of ransomware, similar to WannaCry. However, closer analysis revealed that it was actually a wiper and it was unlikely that victims could recover their files, even if they paid the ransom.

TNT Express, whose Ukraine office uses the compromised tax software, was hit hard by the attack, which led to FedEx temporarily suspending trading of its shares on the New York Stock Exchange. It’s worth noting that FedEx was also impacted by the WannaCry attack.

In its annual report with the SEC on Form 10-K for fiscal year 2017, FedEx said the attack did not affect any other of its companies. While there is no evidence that any data was stolen by malicious actors from TNT systems, the attack had a significant impact on the company’s operations and communications.

A majority of TNT services are available by now, but FedEx informed customers of possible delays in service and invoicing due to the use of manual processes. The company is working on restoring critical systems, including operational, finance, back-office and secondary business systems, but it’s unclear how long the process will take.

Furthermore, FedEx believes it’s “reasonably possible” that TNT will not be able to fully restore all affected systems and recover all the critical business data encrypted by NotPetya.

“Given the recent timing and magnitude of the attack, in addition to our initial focus on restoring TNT operations and customer service functions, we are still evaluating the financial impact of the attack, but it is likely that it will be material,” FedEx said in a press statement. “We do not have cyber or other insurance in place that covers this attack. Although we cannot currently quantify the amounts, we have experienced loss of revenue due to decreased volumes at TNT and incremental costs associated with the implementation of contingency plans and the remediation of affected systems.”

FedEx is not the only shipping company hit by NotPetya. Danish shipping giant A.P. Moller-Maersk also had its systems infected, which prevented it from accepting new orders. Maersk-owned APM Terminals, a global port and cargo inland services provider, was also affected, causing problems at major ports in the United States and Europe.

According to Reuters, Maersk admitted that its antivirus software was not effective against the NotPetya malware, and the company now claims to have implemented additional security measures to prevent future incidents.