Pierluigi Paganini January 06, 2024

Merck has resolved a dispute with insurers regarding a $1.4 billion claim arising from the NotPetya malware incident.

Merck and its insurers have agreed with a $1.4 billion claim arising from the large-scale NotPetya cyberattack.

Merck & Co., Inc., known as Merck Sharp & Dohme (MSD) outside the United States and Canada, is an American multinational pharmaceutical company. It is one of the largest pharmaceutical companies globally, engaged in the research, development, manufacturing, and marketing of a wide range of healthcare products.

Merck filed a $1.4 billion insurance claim for the losses caused by the NotPetya attack that took place in 2017. In August 2017, the pharmaceutical company revealed that the massive NotPetya cyberattack disrupted its worldwide operations.

The news was part of Merck’s financial results announcement for the second quarter of 2017, according to the pharmaceutical giant the ransomware destructed operations in several critical sectors, including manufacturing, research, and sales.

The analysis conducted on the ransomware revealed it was designed to look like ransomware but was wiper malware designed for sabotage purposes.

Attackers might have used a diversionary strategy to hide a state-sponsored attack carried out by Russia on Ukraine critical infrastructure.

Experts from Kaspersky’s conducted a similar research that led to a similar conclusion.

Unlike other ransomware, Petya does not encrypt files on the infected systems but targets the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable.

Merck had not taken out specific insurance to cover cyber attacks, it only had insurance coverage against general risks.

The NotPetya attack was considered by many cyber security experts as an act of silverware against Ukraine, however, it caused billions of dollars of losses to organizations worldwide.

These organizations were not the real targets of the attack, and insurers claimed that the damage was caused by an act of war explicitly excluded by the insurance.

In January 2022, Judge Thomas J. Walsh of the New Jersey Superior Court ruled in favor of the pharmaceutical firm. The judge ruled that it was not correct to apply the clause that excluded the damage caused by an act of war. The insurers appealed, but in May, the Superior Court of New Jersey Appellate Division ruled in favor of Merck in its $1.4 billion claim against the insurers.

The Judge did not recognize the attribution of the attack to a nation-state actor, but the insurers appealed again without success.

Follow me on Twitter: @securityaffairs and Faceboo and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NotPetya)