back to article Virus (cough, cough, Petya) goes postal at FedEx, shares halted

FedEx has suspended trading of its shares on the New York stock exchange after admitting that its subsidiary TNT Express has been hit by "an information system virus." The big package giant said no information had been stolen by the cyber-nasty and only some offices of TNT Express appear to have been disrupted. After yesterday …

  1. frank ly

    What's in a name?

    Some newspapers (The Independent) say that it's called GoldenEye. Does anyone know where that comes from? Maybe there should be public suggestions and a vote but that would probably give us "Virus McVirusface".

    1. Palpy

      Re: What's in a name, Goldeneye?

      I read something similar. However, the screenshots I've seen don't match the "GoldenEye" theme -- queue Bond music -- although Petya, NotPetya, and Goldeneye seem to share some code. But I know nothing, really.

    2. EnviableOne
      Boffin

      Re: What's in a name?

      In the orgional Goldeneye, "Petya" is the admin mode MFT encryption bit, "Mischa" is the user mode ransomware together with mimikatz they make "Goldeneye"

      as from the film the two satelites "Petya" and "Mischa" make the Goldeneye weapon

      The notPetya, uses mostly Petya code (Modified) for the admin mode bit, and the goldeneye execution/enumerator bit, tacks on a Multi headed Worm Spreader (WMI/PSExec/ETERNALBLUE) depending on privilege and a Whole new usermode ransomware.

      Hence this needs a new name, and all the others are wrong Hence notPetya (because its just not)

  2. Gene Cash Silver badge

    Somehow I read that "FedEx has suspended trading of its network shares on the New York stock exchange" and thought "that's a strange way of doing it..."

  3. Alister

    Am I right in thinking FedEx got hit by the original WannaCry as well?

  4. ma1010
    Alert

    Well, MAYBE this will get their attention

    Obviously these large multinationals aren't securing their networks properly. Perhaps after they all lose lots of $ from this attack, just PERHAPS, instead of listening to the bean counters and MBA types that tell them not to spend a penny on "unproductive" things like network security, they will listen to somebody who knows what they're talking about.

    Well, I can dream, can't I?

    1. Boris the Cockroach Silver badge

      Re: Well, MAYBE this will get their attention

      Or more likely

      an idiot user was using a work PC to do some personal business and a friend e.mailed him the virus

      And dispite the big sign nailed to the moniter saying "dont open attatchments".....

      or a USB stick with some music on it... or any one of 1/2 dozen ways the users get round the restrictions put on works computers to stop the bastards buggering everything up

      1. Anonymous Coward
        Anonymous Coward

        Re: Well, MAYBE this will get their attention

        >or any one of 1/2 dozen ways the users get round the restrictions put on works computers to stop the bastards buggering everything up<

        "LUSERS, LUSERS EVERYWHERE!"

        Mike Andrews in A.S.R.

        1. Triggerfish

          Re: Well, MAYBE this will get their attention

          "LUSERS, LUSERS EVERYWHERE!"

          Mike Andrews in A.S.R.

          And not a cattle prod in hand.

          Although after dealing with them 'not a drop to drink' works just as well. :)

      2. Voland's right hand Silver badge

        Re: Well, MAYBE this will get their attention

        an idiot user was using a work PC to do some personal business and a friend e.mailed him the virus

        That is exactly the point of having a secure network. Any number of users can do it and the infection should remain contained to them only (ideal case) or a very small pocket which can be surgically removed and replaced.

    2. Mark 85

      Re: Well, MAYBE this will get their attention

      Nah... won't happen as the bean counters will say "don't spend money on prevention because the fixes are a better tax rightoff" or some such malarkey.

      1. Doctor Syntax Silver badge

        Re: Well, MAYBE this will get their attention

        "the fixes are a better tax rightoff" or some such malarkey."

        It's not only the fixes that cost or even the immediate losses of business during the downtime. It's the loss of confidence by customers. It's also the increased insurance premiums. In fact, if this starts causing serious losses to insurance customers businesses all over, irrespective of whether they've been hit, will start to see their insurers stipulating the precautions they're going to have to take before they get cover.

    3. Anonymous Coward
      Anonymous Coward

      Re: I think we're a long way off still.

      Not to defend bad security practices, but so far the attacks haven't been successful enough to make a difference. What I mean by that is the ransomware outages have been resolved after a few days, and the loss of a day or two's worth of work is not enough scare the bean counters into investing in security.

      No, we need outages that last weeks at a time. Most businesses plan ahead enough to allow themselves to lose a day or two every once in a while, because there are plenty of other external, non-technology factors that could stop a business for a short period, such as natural disasters. But if you stop a business from functioning for several days straight, then it's enough to cause the investors to bail, and that's when the C-levels finally get a clue.

      1. Meph
        Alert

        Re: I think we're a long way off still.

        "What I mean by that is the ransomware outages have been resolved after a few days, and the loss of a day or two's worth of work is not enough scare the bean counters into investing in security."

        This depends largely on two factors, the size of your workforce, and their ability to maintain limited functionality during the outage. If you have ~100 staff at a site that is completely off the grid for 48 hours, and those staff are paid an average of $50k a year, that's close to $30k that you've poured down the drain. If you can implement more effective security controls for less than that, you've just shot yourself in the foot.

        The trick now is for clever IT people to use the hype around this outbreak to claw back some of their operating budgets from the bean counters.

        1. Fat_Tony

          Re: I think we're a long way off still.

          "staff are paid an average of $50k a year, that's close to $30k that you've poured down the drain"

          PHB solution - pick someone who might be responsible, fire them and it's a $20k cost reduction/saving

          Trebles all round

    4. Anonymous Coward
      Unhappy

      Re: Well, MAYBE this will get their attention

      > Well, I can dream, can't I?

      Hah. The bean counters are probably admiring the speed at which the virus was 'delivered' around the world and wishing they could somehow copy it to make Fedex just as fast!

      1. DailyLlama
        FAIL

        Re: Well, MAYBE this will get their attention

        I'm sorry, there was noboy at home when we called, so I've left the virus with your neighbour

  5. Anonymous Coward
    Anonymous Coward

    Today of all days

    So today, after hearing all the hubbub about notPetya, our sales drone wanders over to me. Hey, I sent you an email to look at. $CUSTOMER sent an order, but I can't open the attachment"

    No cattle prod handy, so I went to review the email. Well, it claims to be from $CUSTOMER, but the return email address is from a completely different domain. The subject line just says something like "ORDER 12-3453". The "attachment" is a link to a dodgy looking URL. Oh, and this customer deals with internal sales, not external sales... and they're intelligent enough to compose emails with coherent sentence structure and full paragraphs when they do place orders.

    AV ran clean on sales dude's PC, so there's no traces of quicklime on my keyboard today. (single floor building, no open windows or elevator shafts to play with either).

    1. Doctor Syntax Silver badge

      Re: Today of all days

      "single floor building, no open windows or elevator shafts to play with either"

      You need a better working environment.

      1. Triggerfish

        Re: Today of all days

        "single floor building, no open windows or elevator shafts to play with either"

        You need a better working environment.

        It seems the office chair when it rolled back severed the wire, and as you know metal frames and electricity......

    2. Anonymous Coward
      Anonymous Coward

      Re: Today of all days

      > so there's no traces of quicklime on my keyboard today.

      That is why you keep forensic bunny suits, gloves and overshoes in the consumable stores along with the "dessicant".

  6. DerekCurrie
    Paris Hilton

    If Only "Professional" IT Staff Updated Their Computer OS Software

    But they're NOT professional and they did NOT bother to update their OS software.

    Microsoft has provided patches for Windows XP on up through Windows 10 that block ALL of the ongoing ransomware assaults. Here's a clue to lazy IT staff, where you can obtain all the required Windows updates you should have already installed:

    http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

    That wasn't hard to find. You have NO excuse.

    1. Doctor Syntax Silver badge

      Re: If Only "Professional" IT Staff Updated Their Computer OS Software

      "Microsoft has provided patches for Windows XP on up through Windows 10 that block ALL of the ongoing ransomware assaults."

      Are you sure? From a previous Reg article:

      The malware performs a scan of the network for vulnerable SMB file-sharing services so that it can spread via EternalBlue and EternalRomance. It also scans the computer's RAM to harvest login credentials – preferable any admin or domain admin creds present – so that these too can be used to spread the malware via remote command-line tools PsExec and WMIC. These latter pair appear to be the primary method of propagation.

      "You have NO excuse."

      If I had a £ for every post which effectively says "Works for me so if it doesn't work for you it's your fault" I'd be rich. Maybe they're more informative about the breadth of experience of the posters than of anything else.

      Admins do not all have the final word in policies. Very likely there'll be some who have been forbidden from patching because "we can't afford the downtime". In my time I've had a couple of similar blocks imposed on Unix migrations (and a very bad migration platform choice imposed on me). The businesses may - arguably - have got what they deserve, the admins not necessarily so.

      1. dan1980

        Re: If Only "Professional" IT Staff Updated Their Computer OS Software

        Yes, everyone seems to expect agility, stability and security all at once. On the cheap, of course.

        1. CrazyOldCatMan Silver badge

          Re: If Only "Professional" IT Staff Updated Their Computer OS Software

          everyone seems to expect agility, stability and security all at once.

          "Fast, good, cheap - pick any two"..

    2. theblackhand

      Re: If Only "Professional" IT Staff Updated Their Computer OS Software

      Endpoint AV/malware prevention tools or web/mail scanning were the only ways of preventing some form of encryption if you were hit within the first 12 hours...

      Patching stopped one vector for the spread, but others were still available.

  7. Anonymous Coward
    Anonymous Coward

    Yep, had a call from our TNT area manager earlier today about this, luckily we use two TNT systems, the web based MyTNT which is terrible to use, prints out more paperwork than needed and is basically crap and then the older, stand alone Despatch Manager which looks like it was written for Windows 95, but the consignment numbers are pre loaded onto the system, so we can produce paperwork and labels all day long with no internet connection until the end of day when we have to "dial in" to TNT and upload the numbers used, the driver also picks up paper copies as well of the manifest. Hopefully DPD don't get hit though, they are our other courier and their "app" runs off the DPD servers and they like to hiccup occasionally, but usually just until someone in IT reboots at their end.

    All these couriers though, DPD, Interlink Express, Parcel Force, TNT, FedEx, the whole market is consolidating and there are actually only 2 or 3 big players now, DPD and FedEx, everyone else is a subsidiary and customer experience has fallen off a cliff as systems are consolidated and IT departments reduced.

    1. uncommon_sense

      Do you happen to know if GLS is a subsidiary of any of them, or independent?

      1. Anonymous Coward
        Anonymous Coward

        GLS in the UK operates as Parcel Force which, I thought was owned by someone else, but is actually still Royal Mail, although Royal Mail Group to give it its full name now, don't know much beyond that I'm afraid. The main reason I found out about who owns who was one day I phoned DPD IT who are themselves owned by Geopost) support and the guy answered reeling off several courier companies before I could say anything.

      2. This post has been deleted by its author

  8. a_yank_lurker

    An Observation

    I saw a few emails at work today stating there were problems with TNT but not other carriers. A question from ignorance, exactly how does this malware spread?

    1. Doctor Syntax Silver badge

      Re: An Observation

      "exactly how does this malware spread?"

      This should go some way to answering your question: https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/?page=1

  9. Herby

    Attention necessary...

    We also need to get law enforcement involved as well. Somehow make the purveyors of such malware get sent to the gulag, as well as getting all the $$$ refunded. Attach the command and control and lay waste. Maybe they will get the picture.

    We could also ask where are such agencies as the NSA, but maybe it is their covert fund raising technique. Don your metal hats for this one.

    1. CrazyOldCatMan Silver badge

      Re: Attention necessary...

      Somehow make the purveyors of such malware get sent to the gulag

      Given that it very much looks like nation-state malware primarily aimed at attacking Ukraine, your end-point destination is appropriate (if unlikely. More likely is a substantion bonus and as much vodka as the authors could drink..)

      1. Ramazan

        Re: More likely is a substantion bonus and as much vodka as the authors could drink

        as much vodka as the authors could drink in GULAG. If the authors are known, it's still possible for USA or Ukraine to get them jailed or extradited and jailed or caught abroad and jailed.

  10. Anonymous Coward
    Anonymous Coward

    "Bastardware"

    I love, I'm going to have to fit this into an FOI requestable report for my senior management team.

    1. Sixtysix
      Go

      Re: "Bastardware"

      Yep - loved it too. I will also attempt to use "professionally" at least once: may not get away with twice :D

      Actually did a coffee spray, thankfully missed keyboard (close call) but monitors need deep cleanse.

      1. bombastic bob Silver badge
        Devil

        Re: "Bastardware"

        "Actually did a coffee spray"

        'Bastardware' - it's a new meme - malware written for the apparent purpose of spreading mayhem.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Bastardware"

          Nice name, but it's hardly new - the original virii's only purpose was to upset the users of the infected machines. It's just that modern malware has a new method of getting from machine to machine - the net.

  11. Anonymous Coward
    Anonymous Coward

    Oh well....

    ...at least I don't have to keep referring it to "another logistics" company in my other posts.

    They were one of the first hit (we knew early yesterday morning).

    A/C for obvious reasons.

  12. This post has been deleted by its author

  13. Anonymous Coward
    Anonymous Coward

    I used to work at TNT, and my friends that are still there in the depot I worked in have sent me pictures, all the computers have the same display asking for the $300. They said all the computers have been like that since Tuesday afternoon. So when they say slight disruption, they really mean complete panic mode!!

  14. jahill49

    TNT still down after 8 days

    TNT at least in Norway still unable to give status of a parcel that was to be collected in Brussels 8 days ago. Latest word from TNT Customer "Service" is to watch their internet site and they will announce when they are back up !!!!!!!!!!!!!!!!!!!!

  15. Anonymous Coward
    Anonymous Coward

    The rumour that I hear is that the malware came in via an update to the account software that is used. No DR and limited backups due to outsourcing

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like