Merck wins a court dispute with insurance companies for US$1.4 billion in losses due to the NotPetya attack. This was a cyberattack in 2017 deployed by Russia in its conflict with Ukraine (via Bloomberg).
Merck Wins in Court
The pharmaceutical giant had sue its insurers for damages it suffered from NotPetya. On January 13, New Jersey Superior Court Judge Thomas J. Walsh ruled that insurers can’t claim the Act of War clause because they didn’t tell companies that cyberattacks wouldn’t be covered in the contract. This clause refers to physical armed conflict.
It’s seen as a win for companies because cyberattacks have increased in the past few years, especially in 2021. “The question of whether a cyberattack counts as an act of war is one piece of a broader insurance industry ‘reckoning.'”
The Not Petya Attack
Called “the worst cyberattack in history” it affected scores of companies, ports, and government agencies. Pretending to be ransomware, it encrypted systems and demanded $300 in bitcoin to decrypt.
It made use of EternalBlue, a penetration tool created by the U.S. National Security Agency and leaked in 2017. This tool takes advantage of a then-flaw in Windows that let hackers remotely run their malicious code. Another tool called Mimikatz pulled login passwords from the computers’ memory.
It was called NotPetya because of its similarities to Petya, a piece of ranswomare uncovered in 2016. But NotPetya’s ransom demands were fake, and the machines were completely scrambled. Although Russia targeted Ukraine, it spread to other companies and countries, even back to Russia. A White House assessment put the total damages of the NotPetya attack at over US$10 billion.