Financial Impact of NotPetya Ransomware Keeps Rising

Pharmaceutical vendor Merck is the latest multi-national firm to report financial losses from the NotPetya ransomware attack in June 2017.

New Wave WannaCry

Multiple organizations over the course of 2017 have attempted to quantify the impact of ransomware with varying results. One of the best sources on measuring the financial impact of ransomware so far has become looking at the financial earnings of companies that have been victims of ransomware.

The latest public company to reveal the impact that ransomware has had on its operations is pharmaceutical vendor Merck, which was hit by the NotPetya outbreak in June 2017.

"Sales in the third quarter of 2017 were reduced by approximately $240 million due to a borrowing from the U.S. Centers for Disease Control and Prevention Pediatric Vaccine Stockpile of GARDASIL 9 (Human Papillomavirus 9-valent Vaccine, Recombinant), a vaccine to prevent certain cancers and other diseases caused by HPV, driven in part by the temporary production shutdown resulting from the cyber-attack, as well as overall higher demand than originally planned," Merck stated in its third quarter fiscal 2017 8-K filing.

"Additionally, as expected, revenue was unfavorably impacted by approximately $135 million from lost sales in certain markets related to the cyber-attack," Merck stated.

As a result, the NotPetya cyber-security ransomware incident, the financial impact to Merck was as much as $375 million in terms of lost sales and borrowing costs. Merck first warned that it was a victim of NotPetya in July 2017, when the company disclosed its second quarter fiscal 2017 financial results.

"On June 27, 2017, the company experienced a network cyber-attack that led to a disruption of its worldwide operations, including manufacturing, research and sales operations," Merck stated.

The NotPetya attack first appeared at the end of June, with initial reports showing the impact limited to the Ukraine. As it turns out, the NotPetya ransomware attack was global, with multiple multi-national corporations reporting that their operations were impacted. Among the multi-national public corporations that have admitted to being victims of NotPetya is consumer product vendor Reckitt Benckiser which has not yet fully calculated the total financial impact of the ransomware attack.

"We signaled in July that we expected a significant impact on supply from the cyber-attack in Q3, "Reckitt Benckiser  stated in its 3Q17 reported released on Oct. 18. "We estimate that supply availability reduced sales by about 2 percent in the quarter."

Shipping company Maersk reported on Aug. 16 that its operations were impacted by the NotPetya attack, sustaining between $200 to 300 million in financial loses as a result. Delivery company FedEx's TNT business unit also suffered loses as a result of NotPetya.

"The worldwide operations of TNT Express were significantly affected during the first quarter by the June 27 NotPetya cyberattack," FedEx reported in its first quarter fiscal 2018 financial report, which was released on Sept. 19. "Operating results declined due to an estimated $300 million impact from the cyber-attack."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.