Merck in $1.3B showdown with insurers over 2017 ransomware attack — Bloomberg
When Merck was hit with a ransomware attack in 2017, the pharma giant was in fact just collateral damage from a virus Russia aimed at Ukraine, and the company is struggling to recoup its losses because its $1.75 billion insurance plan doesn’t cover acts of war.
Those are details from a richly reported Bloomberg News story out yesterday exploring how a geopolitical fight in Eastern Europe accidentally entangled a New Jersey-based pharmaceutical company and sparked lawsuits with major ramifications for the future of insurance and cybercrime.
Merck employees logging on to their computers on June 27, 2017 were greeted with a polite message in pink letters: “Ooops, your important files are encrypted. … We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment.” The payment was $300 in bitcoin, per computer.
Early on, it was clear that Merck was one victim of a global attack that also hit Danish shipping company Maersk, American food company Mondelez, French construction giant Saint-Gobain and even the systems monitoring the Chernobyl nuclear power stations, among others.
Unlike Chernobyl, though, it appears that Merck was not an intended target. The attack was dubbed NotPetya, a creation of the GRU Russian military intelligence agency (the same one that attacked the Democratic National Committee), and it was designed to strike companies and agencies in Ukraine, a country that had been in conflict with Russia since 2014. But, per Bloomberg, NotPetya contaminated a tax software application, M.E.Doc, that was running on a server in Merck’s Ukraine office.
From there, it spread to the pharma giant’s headquarters, where it would eliminate — in some cases — years of research, cripple Gardisal 9 production facilities and eventually cause (by Merck’s estimate) $1.3 billion in damages. Merck, though, had a property insurance plan worth up to $1.75 billion that covered computer data, coding and software (after a $150 million deductible). But when Merck went to activate the plan, most of their 30 insurers rejected them. Your plan doesn’t cover damages from military action, they told “shocked” Merck officials.
What followed were, not surprisingly, a string of lawsuits, with Merck claiming that it was hit by a cyber — not a military — event. These lawsuits, Bloomberg reports, are being watched for the precedents they may set around how future cybercrime is classified.
The insurers are trying to prove two things: that the attack really did come from Russia and that Merck was not as vigilant as it could have been in protecting their data. Merck, as Endpoints News reported shortly after the attack, had missed two opportunities to inoculate themselves against the virus before they were struck.
On Russia, the insurers have gotten a hand from the White House. Last year, the Trump Administration wrote without equivocation that the attack “was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict.”
“When the president of the United States comes out and says, ‘It’s Russia,’ it’s going to be hard to fight,” Jake Williams, a former National Security Agency hacker who now helps companies hunt for vulnerabilities in their computer networks, told Bloomberg. “I’ll be surprised if the insurance companies don’t get a win. This is as solid a case as they’re going to get.”
But some legal experts expressed greater skepticism of the insurers’ case. All signs may point to Russian culpability but when it comes to cyber, it’s not clear what military action means.
“It’s not going to be an easy case for a judge in the U.S. to declare that this was an act of war,” Catherine Lotrionte, a former CIA lawyer who’s taught at Georgetown University, told Bloomberg.