back to article FedEx: TNT NotPetya infection blew a $300m hole in our numbers

FedEx has estimated this year's NotPetya ransomware outbreak cost it $300m in lost business and cleanup costs. Most of the victims of June’s NotPetya epidemic were based in Ukraine, but several global corporations were also infected by the software nasty – including shipping giant Maersk, ad behemoth WPP, pharmaceutical beast …

  1. TaabuTheCat

    $300M!!

    "Holy crap!" said every CEO in America. "Let's convene an emergency meeting of the Board and all the IT/Security department heads and find out exactly what's needed in the 2018 budget to prevent it happening here!"

    And then I woke up.

    1. Voland's right hand Silver badge

      Re: $300M!!

      It is "holy crap", but from a different department - the "find excuses for a write-off/declare losses" department.

      So, actually, the reaction at board level was: "Holy crap, why we did not get infected too, we should reduce the security spend".

      1. Fred Flintstone Gold badge

        Re: $300M!!

        It is "holy crap", but from a different department - the "find excuses for a write-off/declare losses" department.

        That's exactly what I thought. To borrow a line from the former New Labour press staff, it was clearly a good time for bad news.

    2. FozzyBear
      Facepalm

      Re: $300M!!

      They would, but they got rid of their IT security as a cost saving measure last financial year to ensure their bonuses.

      The emergency meeting is about who they can blame if "when" the excreta hits the fan.

      1. CrazyOldCatMan Silver badge

        Re: $300M!!

        The emergency meeting is about who they can blame if "when" the excreta hits the fan.

        I'm sure that there are plenty of rogue engineers that they can blame.

        In fact, I'm suspecting that these companies will soon be recruiting for the post of "official rogue engineer" - someone who doesn't actually have to do anything, but is prepared to be the sacrificial lamb whenever someone vaguely technical needs to be blamed.

        After all, why spend good money on a large team of people who know what they are doing when you can outsource stuff to a lowest-bid offshore team and keep a sacrificial goat at low cost?

        More bonuses and a pre-prepared fall guy.

        In fact, I think I'm going to patent it and sit back to wait for the sweet, sweet $CURRENCY_UNITS to flow in.

        1. Ochib

          Re: $300M!!

          Sounds like a job for Barney Stinson as his last job title was P.L.E.A.S.E. (Provide Legal Exculpation and Sign Everything)

  2. Anonymous Coward
    Anonymous Coward

    Congratulations!

    Can these companies summarize this and send it to all their customers and employees to congratulate them on being collateral damage?

    Wake them up to the importance of international behaviours and misbehaviours by likening this digital fallout to the bogeyman of nuclear fallout? "Kim might blow up Nagoya!" they fret. Putin blowing up something you depend on is more likely, because it has already happened.

    1. Kevin McMurtrie Silver badge
      Pirate

      Re: Congratulations!

      Security is hard but I have this app that will help. Just give it the network password and it will tell you what to do.

    2. Destroy All Monsters Silver badge
      Big Brother

      Re: Congratulations!

      > Putin blowing up something you depend on is more likely

      "Clear and present dangers", on page 55 at the bottom, directly before NAZIS detected on Twitter protecting statues of General Lee.

  3. Anonymous Coward
    Anonymous Coward

    300m? .. How may 'IT Pros' would that pay for?

    300m gotta hurt! Wonder how many IT souls they could have hired for that meantime??? But no, 'Tight-Ass' corporations that have been shit-canning & outsourcing IT / Tech staff for years, since the 90's... So hey, time to reap the whirlwind fuckers... And meantime look what at what Fed-Ex are still doing:

    ~~~~~~~~~~~~~~~~

    https://www.theregister.co.uk/2017/03/24/fedex_paying_five_dollars_to_install_flash/

    "FedEx will deliver you $5.00 just to install Flash. That page offers a link to download Flash, which is both a good and a bad idea. The good is that the link goes to the latest version of Flash, which includes years' worth of bug fixes. The bad is that Flash has needed bug fixes for years and a steady drip of newly-detected problems means there's no guarantee the software's woes have ended. Scoring a $5 discount could therefore cost you plenty in future."

    1. a_yank_lurker

      Re: 300m? .. How may 'IT Pros' would that pay for?

      AC - Security as well as other areas of IT demand competence and competence does not come cheap. Dumbsourcing IT is a guarantee of a disaster waiting to happen. What dumbsourcers forget is an employee's first loyalty is the company issuing the paycheck not to the ultimate client. So if you want first loyalty the staff needs to be internal not external.

      1. Christian Berger

        Re: 300m? .. How may 'IT Pros' would that pay for?

        "competence does not come cheap."

        That's not fully true, incompetent people aren't necessarily cheaper than competent ones, because they suffer the Dunning Kruger effect and believe they are highly competent.

    2. Christian Berger

      Well lets estimate

      Well at 100k of costs a year for a decently competent employee, that's 3000 man years.

      The Cray 1 supercomputer took about 100 man years to develop, so did the 6502. So depending on how to do it, you can design the hardware for your own computer with 200 man years.

      Software is a different question, but writing a UNIX-clone takes a few man years. I know that because I've started writing one based on the FreeRTOS operating system and I got rather far in about half a year. So if you build your software with state of the art security, i.e. making it mostly provable, it'll take something between a hundred and a thousand man hours.

      So essentially they could have gone the route of developing their own systems for exactly their own purposes with state of the art security for less than this cost them. They then would have been sure that there were no fileservers running they don't want. They would have been sure that their e-mail client wouldn't execute word macros, etc.

  4. Anonymous Coward
    Anonymous Coward

    The clue is in the title

    Inadequate patching

    Incompetent management

    No DRP

    Outsourcing

    Malware

    Literally an explosive recipe that detonated.

  5. Anonymous Coward
    Anonymous Coward

    TNT NotPetya infection blew a $300m hole in our numbers

    TNT management incompetence blew a $300M hole in their numbers.

    Everything else is extra detail.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon