Ransomware Attack on Merck Caused Widespread Disruption to Operations

New information released last week by pharmaceutical giant Merck reveals that a cyberattack that hit the company on June 27 caused significantly more disruption to its operations than many might have assumed.

In details included during Merck's earnings announcement July 28, the company described the attack as disrupting worldwide manufacturing, research and sales operations, and impacting its ability to fulfill orders for some products in certain markets.

Even more than one month after the attack, certain operations at Merck, continue to be impacted and the company still does not know the full magnitude of the disruption. Merck so far only been able to fully restore its packaging operations since the attack.

Manufacturing and formulation operations are still only in the process of being restored and so too is Merck's Active Pharmaceutical Ingredient (API) operations. Bulk product production, which was halted after the attack, has not yet resumed.

"The company’s external manufacturing was not impacted," Merck noted in its earnings statement.

Neither, apparently, was production of some of Merck's biggest products including cancer drug Keytruda, anti-diabetes medication Januvia, and Hepatitis C drug Zepatier. "In addition, Merck does not currently expect a significant impact to sales of its other top products," it said.

Merck has so far not publicly released technical details of the June 27 cyberattack, so it's not clear just what caused the widespread disruption reported in the earnings announcement. But many security experts believe the company was among the many caught up in the NotPetya ransomware outbreak last month.

Security analysts tracking NotPetya had at the time described it as a more sophisticated version of May's WannaCry global ransomware pandemic. Like WannaCry, NotPetya also attempted to spread via Server Message Block (SMB) shares using EternalBlue, a leaked exploit from the National Security Agency (NSA). Unlike WannaCry, however, NotPetya employed other methods to spread as well and was generally considered more professional and harder to eradicate than its predecessor.

Kaspersky Lab and others tracking the malware estimated that NotPetya hit at least 2,000 organizations globally including Merck, A.P. Moller-Maersk of Denmark, metal giant Evraz of Russia, and Ukraine's Boryspyl Airport.

Merck is the second major organization in recent weeks to publicly disclose a major disruption after a ransomware attack. In June, automaker Honda disclosed that it had to shutter a manufacturing plant in Sayama Japan for a couple of days after WannaCry infected plant floor systems at the facility. Production on some 1,000 vehicles was disrupted as a result of the shutdown.

"When it comes to ransomware and how it takes hold in every organization, nothing surprises me anymore," says Eldon Sprickerhoff, founder and chief security strategist of eSentire. "Best practice in manufacturing environments will mandate a strong network segregation stance between corporate and industrial, but the reality is that there are always access overlaps."

Such incidents highlight the need for any organization with highly sensitive networks to conduct risk assessments to identify critical assets, identify all access methods, and to identify the risks to those assets via the access methods.

They need to identify the controls they have in place to determine if they are sufficient and continuously monitor for signs of exploits and compromise, Sprickerhoff says.

Related content: