The NotPetya wiper malware that disrupted global business operations under the guise of a ransomware attack took an especially high toll on the finance, oil and gas and manufacturing industries. According to figures released by Kaspersky Lab, roughly 82 percent of attacked companies belonged to these three sectors.
Among all industries, bank and finance companies were hit by 32 percent of NotPetya attacks. Oil and gas corporations saw around a 25 percent share of infections, and manufacturing companies were hit just under 25 percent of the time. Health care were on the receiving end of NotPetya around six percent of the time, followed by the food and beverage, trade, construction, and pharmaceutical industries.
The findings further support the theory by a number of cyber researchers that the attack's true intention was not to generate money via extortion payments, but rather to deal harm to key businesses, specifically those based in Ukraine. Kaspersky reported that 60 percent of NotPetya infections took place in Ukraine, while Russia experienced just over 30 percent.
Poland saw about a five percent share of infections, followed by Germany, Belarus, Brazil, Estonia, the Netherlands, Turkey and the U.S. (with less than one percent). Even though Russia had the second highest share of infections, Moscow has emerged as a major suspect, considering its history of launching cyber operations against Ukraine, including wiper malware campaigns.
Kaspersky also cited a tweet from Costin Raiu, director of its global research and analysis team, who reported that attackers distributed NotPetya using a watering hole attack, in addition to previously known infection vectors. In this instance, the website compromised to infect visitors was "bahmut.com.us/news/", a news and information site for the city of Bakhmut, in the Donetsk region of Ukraine.
Indeed, there have been multiple reports of companies recovering, or struggling to recover, from NotPetya's destruction. For instance, Reuters reported that, as of Thursday, June 29, several international several port terminals run by a division of Danish shipping company Maersk were unable to resume normal operations, even with the cargo booking system back up and running. An update posted on Maersk's web page on Friday said that the company expects to "return to a close-to-normal environment" by Monday, July 3.
"Cargo is being moved in and out of ports almost everywhere around the world. Almost all ports within the APM Terminals global portfolio are operational," the announcement continues. "We are pleased to report that since yesterday, we have been able to reestablish business in our terminals in Algeciras, Tangier, Callao Lima, Mumbai, Itajai and Buenos Aires."
Financial damage to attacked companies can come in a variety of forms, cautioned Jonathan Bensen, director of security products for Centrify, noting that the U.S. pharmaceutical company Merck saw its stock declined after it was impacted by NotPetya. "And the long-term impact could be greater," he added.
On Thursday, British advertising and PR company WPP declared in an online statement that while many of its companies are "fully functional," others "continue to be disrupted." The company said it is making "steady progress" toward restoring services.
Also, on Thursday, the Wall Street Journal reported that Princeton Community Hospital in rural West Virginia would have to "scrap and replace its entire computer network" after its systems were disrupted beyond repair.