Maersk ransomware attack now thought to be a wiper

Via World Cargo News

IT experts now believe the version of Petya that caused havoc at APM Terminals this week is not ransomware at all, but a wiper – an application that overwrites data permanently.

The initial cyber attack shut down systems and posted a ransom demand for $300 worth of bitcoins per computer to be paid for the release of data. Some 17 terminals in the APM Terminals network around the world were reported to be affected, though this number was not confirmed by APM Terminals.

Most of the businesses and organisations (including state owned infrastructure operators) hit were in the Ukraine, and there is now speculation that the attack was politically motivated. Very little ransom money has been paid, and IT experts think that the version of Petya that was used has been programmed to overwrite data permanently, so it can never be retrieved.

Maersk said the incident is “contained”, and while a number systems are still shut down Maersk Line can still take bookings through INTTRA. It issued the following statement: The issue remains contained and we continue to work towards technical recovery A number of IT systems are deliberately shut down across multiple sites and select business units, also impacting email systems. Business continuity plans are being implemented and prioritized.

We continue to assess the situation. Until this analysis is complete, we cannot be specific about how many sites and locations are affected or when normal business operations are restored. The aggregate impact on our business is being assessed.

Our focus is on ensuring the best business continuity possible for our customers and business partners. We are collaborating with IT experts including national cyber-crime agencies and IT industry leaders, to reinstate services safely and without further disruption.

Maersk entities Maersk Oil, Maersk Drilling, Maersk Supply Services, Maersk Tankers, Maersk Training, Svitzer and Maersk Container Industry (MCI) remain operationally unaffected.

<p�all maersk=”” line=”” vessels=”” continue=”” to=”” be=”” under=”” control,=”” employees=”” are=”” safe=”” and=”” communication=”” crew=”” management=”” onboard=”” is=”” functioning.=”” we=”” able=”” accept=”” bookings=”” again=”” via=”” inttra,=”” the=”” world�s=”” largest=”” booking=”” platform.<=”” p=””>

The majority of our terminals are now operational. Some of these terminals are operating slower than usual or with limited functionality. APM Terminals continue to work towards full restoration of its IT systems.

Damco has limited access to certain systems. A business continuity plan has been deployed with a key focus on protecting customers’ cargo flows.”

There was plenty of talk at the TOC Europe conference in Amsterdam about the attack, some of which suggested that the virus gained access through an email attachment, but a source within APM Terminals said that was incorrect.

</p�all>