Incident Details

Incident: Global Ransomware Attack Hits Thousands of Businesses and Institutions

Published Date: 2017-05-15

Postmortem Analysis
Timeline	1. The software failure incident happened in May 2017. [59000]
System	1. Renault's factory floor systems controlling robots 2. Computers at Renault’s Sandouville operation 3. Ticket vending machines of Deutsche Bahn 4. Computer systems of FedEx 5. Computer systems of China's state-run oil company, PetroChina 6. National Health Service (NHS) computer systems in Britain 7. Disney's unreleased movie access system [Cited Article: 59000]
Responsible Organization	1. Hackers targeted thousands of businesses and institutions, including Renault, Deutsche Bahn, FedEx, and various organizations in China, India, and Russia, with ransomware, causing the software failure incident [59000].
Impacted Organization	1. Renault auto plant in France [59000] 2. Deutsche Bahn, the national railway in Germany [59000] 3. FedEx in the United States [59000] 4. National Health Service (NHS) in Britain [59000] 5. China's state-run oil company, PetroChina [59000]
Software Causes	1. The software cause of the failure incident was a global hack that affected thousands of businesses, including Renault's auto plant in France [59000]. 2. The malware used by the attackers was sophisticated, and the ransomware attack spread through infected computers, impacting various organizations worldwide [59000]. 3. The ransomware demanded payment in Bitcoin and threatened to erase data if the ransom was not paid, indicating a software-based extortion tactic [59000]. 4. The ransomware attack highlighted the growing problem of ransomware globally, with an increasing percentage of spam containing ransomware activation links [59000].
Non-software Causes	1. The failure incident at Renault's auto plant in France was caused by a global hack that hit thousands of businesses, leading to the factory shutdown [59000]. 2. The ransomware attack affected various organizations worldwide, including universities, hospitals, and businesses, causing disruptions and financial losses [59000]. 3. The hackers demanded ransom payments in Bitcoin from affected organizations, such as Deutsche Bahn in Germany and PetroChina in China, impacting their operations [59000]. 4. The attack on the National Health Service in Britain resulted in disruptions to hospitals, clinics, and doctors' offices, leading to patient care delays and rescheduled medical appointments [59000].
Impacts	1. The Renault auto plant in France had to shut down its factory, leading to production slowdowns and the need to pay partial unemployment insurance for thousands of employees who couldn't work [59000]. 2. Companies and institutions worldwide, including universities, hospitals, and businesses, were affected by the hack, leading to disruptions in operations and potential data loss concerns [59000]. 3. Deutsche Bahn in Germany experienced disruptions in its ticket vending machines, although its train service and signaling systems were not affected [59000]. 4. FedEx in the United States resumed normal operations after being hit by the attack, indicating a temporary disruption in its computer systems [59000]. 5. China reported disruptions at nearly 40,000 organizations, including academic institutions and blue-chip companies, with the attack potentially impacting electronic payment capabilities at PetroChina gas stations [59000]. 6. The National Health Service in Britain struggled to fully operationalize hospitals, clinics, and doctors' offices, leading to patient care delays and rescheduling of medical appointments [59000]. 7. Disney faced a ransom demand from hackers claiming access to one of its unreleased movies, prompting the company to work with federal investigators and refuse to pay the ransom [59000].
Preventions	1. Implementing robust cybersecurity measures such as regular software updates, patches, and security audits to prevent vulnerabilities that could be exploited by hackers [59000]. 2. Conducting employee training on cybersecurity best practices to prevent phishing attacks and unauthorized access to systems [59000]. 3. Maintaining secure backups of critical data to mitigate the impact of ransomware attacks and avoid the need to pay ransoms [59000]. 4. Utilizing advanced threat detection systems and monitoring tools to quickly identify and respond to potential security breaches [59000].
Fixes	1. Implementing robust cybersecurity measures to prevent future hacks like the global ransomware attack that affected Renault and other organizations [59000]. 2. Regularly updating and patching software systems to address vulnerabilities that could be exploited by malicious actors [59000]. 3. Conducting thorough security audits and assessments to identify and mitigate potential weaknesses in the IT infrastructure [59000]. 4. Educating employees and users about cybersecurity best practices, such as avoiding clicking on suspicious links or attachments in emails [59000]. 5. Developing and maintaining effective backup and recovery strategies to ensure data can be restored in case of a ransomware attack [59000].
References	1. Renault auto plant in France [59000] 2. Deutsche Bahn in Germany [59000] 3. FedEx in the United States [59000] 4. China [59000] 5. National Health Service in Britain [59000] 6. IBM [59000] 7. Disney [59000]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident having happened again at one_organization: - The article mentions that FedEx, the giant package shipper, was hit in the attack that began on Friday but had "resumed normal operations" and that its computer systems were healthy again [59000]. - Disney's chief executive, Robert A. Iger, mentioned at a town-hall meeting that hackers had contacted the company to claim access to one of its unreleased movies and had demanded a ransom. Disney is not paying the ransom and is working with federal investigators to resolve the matter [59000]. (b) The software failure incident having happened again at multiple_organization: - The article reports disruptions at nearly 40,000 organizations in China, including academic institutions, due to the attack [59000]. - The National Health Service in Britain struggled to get hospitals, clinics, and doctors' offices fully operational after the attack, causing patients to be turned away from emergency rooms and medical appointments to be rescheduled [59000].
Phase (Design/Operation)	design, operation	(a) The software failure incident reported in the articles is primarily related to the design phase. The incident was a global hack that affected thousands of businesses, including Renault's auto plant in France [59000]. The hack locked up at least 200,000 machines and spread to thousands of additional computers, impacting various organizations worldwide. The attackers demanded a ransom in Bitcoin, and companies like Renault and Deutsche Bahn had to deal with the fallout, including shutting down factories and assessing the damage caused by the hack. (b) The software failure incident also has elements related to the operation phase. For example, the National Health Service in Britain struggled to get hospitals and clinics fully operational after the attack, causing disruptions in patient care and medical appointments [59000]. Additionally, China reported disruptions at nearly 40,000 organizations, including academic institutions and businesses, due to the hack. The attack affected the operation of PetroChina's gas stations, disrupting electronic payment capabilities until the systems were restored to normal functioning.
Boundary (Internal/External)	within_system	(a) within_system: The software failure incident reported in the articles is primarily due to a global hack that affected thousands of businesses, including Renault's auto plant in France [59000]. The incident involved ransomware that infected computers within the system, leading to disruptions in operations and potential data loss. The malware used in the attack was sophisticated, but the mechanism by which it entered the computers and spread was not as advanced, according to security experts [59000]. (b) outside_system: The software failure incident was triggered by external factors, specifically a global hack that targeted organizations worldwide. The attack originated from outside the affected systems and spread rapidly, impacting various sectors such as healthcare, transportation, and education [59000]. The ransom demands in the form of Bitcoin payments were part of the external coercion faced by the affected companies and institutions.
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident in Article 59000 was primarily due to non-human actions, specifically a global hack that affected thousands of businesses, including Renault's auto plant in France. The hack locked up at least 200,000 machines and demanded a $300 Bitcoin ransom with a threat to erase data. The malware used in the attack was sophisticated, and the attack spread to thousands of additional computers, causing disruptions globally [59000]. (b) Human actions also played a role in the software failure incident described in Article 59000. For example, some organizations affected by the hack had to decide whether to pay the ransom or rely on backups. Additionally, the article mentions that some companies do not report attacks for fear of damaging their corporate reputations. Furthermore, the article highlights how the ransomware attack was a growing problem, with a significant increase in ransomware-related spam from 2015 to the present [59000].
Dimension (Hardware/Software)	software	(a) The software failure incident reported in the articles was primarily due to a global hack that affected thousands of businesses, including Renault's auto plant in France [59000]. The hack led to disruptions in various organizations, such as universities, hospitals, and businesses, by locking up machines and demanding ransom payments in Bitcoin. The incident caused significant operational impacts, such as factories being shut down, production slowdowns, and disruptions in services like electronic payments at gas stations [59000]. (b) The software failure incident was caused by a sophisticated malware attack that spread through computers and networks, affecting organizations worldwide. The malware used in the attack was ransomware, which encrypted data and demanded ransom payments in Bitcoin for decryption. The attack highlighted the growing problem of ransomware, with a significant increase in ransomware-related spam from less than 1% in 2015 to 40% in recent years [59000].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident described in the articles is malicious in nature. It was a global hack that hit thousands of businesses, including Renault's auto plant in France, causing disruptions and demanding ransom payments in Bitcoin [59000]. The attack involved sophisticated malware that spread rapidly, affecting various organizations worldwide, such as universities, hospitals, businesses, and even government agencies like the National Health Service in Britain [59000]. (b) The software failure incident was not non-malicious as it was a deliberate cyberattack aimed at causing harm and extracting ransom payments from the affected organizations. The attackers used ransomware to encrypt data and demanded payments in exchange for decryption keys, indicating a malicious intent behind the software failure incident [59000].
Intent (Poor/Accidental Decisions)	poor_decisions, accidental_decisions	(a) The intent of the software failure incident related to poor decisions can be seen in the article where it mentions that some companies affected by the hack are trying to determine whether they should pay the ransom or if they have backups that will allow them to avoid giving in [59000]. This decision-making process regarding whether to pay the ransom or not can be crucial in the aftermath of a hack incident. (b) The intent of the software failure incident related to accidental decisions is evident in the article where it discusses how the malware used by the attackers was sophisticated, but the collection mechanism was not by the current standards of ransomware. This lack of advanced payment-easing features may have contributed to the modest level of estimated payments so far, indicating a potential unintended consequence of the attackers' decisions [59000].
Capability (Incompetence/Accidental)	development_incompetence	(a) The software failure incident reported in the articles can be attributed to development incompetence as it was a result of a global hack that hit thousands of businesses, including Renault's auto plant in France [59000]. The hack caused disruptions in various organizations, such as universities, hospitals, and businesses, indicating a lack of professional competence in ensuring robust cybersecurity measures to prevent such incidents. (b) Additionally, the software failure incident can also be categorized as accidental, as the malware used by the attackers was described as sophisticated, suggesting that the attack was not a simple or accidental occurrence [59000]. The attack was a deliberate act by cybercriminals to exploit vulnerabilities in computer systems, rather than a random or unintentional event.
Duration	temporary	(a) The software failure incident described in the articles is temporary. The incident involved a global hack that hit thousands of businesses, including Renault's auto plant in France, causing disruptions and forcing the factory to shut down temporarily. Companies and institutions affected by the hack were racing to assess the damage, clean and reboot systems, and determine if they had lost any data or if their systems were safe [59000]. Additionally, the article mentions that some organizations affected by the hack, like FedEx, had resumed normal operations after dealing with the software failure incident [59000]. (b) The software failure incident can also be considered temporary as the incident was caused by a global ransomware attack that affected various organizations worldwide. The attack disrupted operations in different countries, such as China, the United States, and the United Kingdom, but organizations were working to recover and resume normal activities. For example, China reported disruptions at nearly 40,000 organizations, including academic institutions and businesses, but many organizations emphasized that their business operations had not been impaired [59000].
Behaviour	crash, omission, value, other	(a) crash: The software failure incident in the articles can be categorized as a crash as it resulted in the system losing its state and not being able to perform its intended functions. The incident caused disruptions in various organizations and institutions, such as Renault's auto plant in France, Deutsche Bahn in Germany, and the National Health Service in Britain, leading to partial shutdowns, delays in operations, and disruptions in services [59000]. (b) omission: The software failure incident can also be attributed to omission, as the system omitted to perform its intended functions at instances. For example, the National Health Service in Britain struggled to get hospitals, clinics, and doctors' offices fully operational, causing patients to be turned away from emergency rooms and medical appointments to be rescheduled [59000]. (c) timing: While the software failure incident did not directly relate to timing issues, it did involve the system performing its intended functions incorrectly or being unable to perform them due to the hack. The incident led to disruptions and delays in operations across various organizations, impacting their normal functioning [59000]. (d) value: The software failure incident can be linked to a failure in value, as the system performed its intended functions incorrectly due to the hack. For instance, the attack disrupted the electronic payment capabilities at PetroChina's gas stations in China, causing operational issues until the systems were restored [59000]. (e) byzantine: The software failure incident did not exhibit characteristics of a byzantine failure, which involves inconsistent responses and interactions within a system. The incident primarily involved a global hack that locked up thousands of machines, demanded ransom payments, and disrupted operations in various organizations, showcasing a more straightforward impact on the affected systems [59000]. (f) other: The software failure incident can be categorized as an "other" behavior as well, considering the widespread impact and disruptions caused by the hack. The incident led to companies and institutions facing challenges such as deciding whether to pay the ransom, assessing data loss, and dealing with the aftermath of the attack. It also highlighted the growing problem of ransomware attacks globally, emphasizing the need for enhanced cybersecurity measures [59000].

IoT System Layer

Layer	Option	Rationale
Perception	processing_unit, network_communication	(a) sensor: The software failure incident reported in the articles does not specifically mention any sensor errors contributing to the failure. (b) actuator: The articles do not provide information indicating that the failure was due to contributing factors introduced by actuator error. (c) processing_unit: The incident involved a global hack that affected thousands of businesses, including Renault's auto plant in France. The company's technicians were working to clean and reboot systems that control robots on the factory floors, suggesting a failure related to the processing unit [59000]. (d) network_communication: The ransomware attack spread to thousands of computers globally, affecting various organizations and institutions. This indicates a failure related to network communication as the malware spread through networks [59000]. (e) embedded_software: The incident does not explicitly mention any issues related to embedded software as a contributing factor to the software failure.
Communication	connectivity_level	The software failure incident reported in the articles was related to the connectivity level of the cyber physical system that failed. The incident involved a global hack that affected thousands of businesses, including Renault's auto plant in France [59000]. The hack disrupted operations by locking up machines, demanding ransom payments, and causing disruptions in various organizations worldwide, such as universities, hospitals, businesses, and even transportation systems like Deutsche Bahn in Germany. The attack targeted computer systems, leading to data encryption and ransom demands, rather than being a direct result of issues at the physical layer of the cyber physical system.
Application	FALSE	The software failure incident described in the articles was related to a global hack that affected thousands of businesses, including Renault's auto plant in France [59000]. This hack involved malicious software that infected computers and demanded a ransom in Bitcoin to unlock the data. The malware used in the attack was described as sophisticated by security experts, but the mechanism by which it spread was not as advanced. The attackers demanded ransom payments in Bitcoin, but the attack did not include features that eased the payment process, which may have contributed to the modest level of payments made so far. This incident does not specifically point to a failure at the application layer of the cyber physical system but rather a broader cybersecurity breach involving malware and ransom demands.

Other Details

Category	Option	Rationale
Consequence	property, non-human	(d) Property: People's material goods, money, or data was impacted due to the software failure. The software failure incident resulted in significant property impact as seen in the case of Renault where a $300 Bitcoin ransom demand was found on computers, threatening to erase data [59000]. Additionally, Deutsche Bahn in Germany had ransom demands on the screens of ticket vending machines, and PetroChina experienced disruptions in electronic payment capabilities at its gas stations [59000]. The attack also affected organizations in China, including academic institutions and companies like Hitachi and Nissan, although their business operations were not impaired [59000]. FedEx in the United States was hit in the attack but later resumed normal operations after its computer systems were restored [59000].
Domain	information, transportation, natural_resources, manufacturing, utilities, finance, knowledge, health, entertainment, government	(a) The software failure incident affected various industries including universities, hospitals, and businesses globally, as they were all trying to assess the damage caused by the hack and determine if their systems were safe [59000]. (b) The transportation industry was impacted by the software failure incident as Deutsche Bahn, the national railway in Germany, had ransom demands pop up on the screens of ticket vending machines, causing disruptions [59000]. (c) The natural resources industry was indirectly affected as China's state-run oil company, PetroChina, confirmed that the attack disrupted the electronic payment capabilities at many of its gas stations over the weekend [59000]. (d) The sales industry was not directly mentioned in the articles as being impacted by the software failure incident. (e) The construction industry was not directly mentioned in the articles as being impacted by the software failure incident. (f) The manufacturing industry was significantly impacted by the software failure incident, with Renault's auto plant in France having to shut down due to the global hack that hit thousands of businesses, including the factory [59000]. (g) The utilities industry was indirectly affected as PetroChina, a state-run oil company, faced disruptions in electronic payment capabilities at its gas stations due to the cyberattack [59000]. (h) The finance industry was indirectly mentioned in the articles as IBM's security research unit highlighted the growing problem of ransomware, with a significant percentage of spam containing ransomware links or documents [59000]. (i) The knowledge industry, particularly universities, was impacted by the software failure incident as academic institutions in China, including Tsinghua and Peking Universities, reported disruptions due to the hack [59000]. (j) The health industry was significantly impacted by the software failure incident, with the National Health Service in Britain struggling to get hospitals, clinics, and doctors' offices fully operational, leading to patients being turned away from emergency rooms and medical appointments needing to be rescheduled [59000]. (k) The entertainment industry was indirectly mentioned in the articles as Disney's chief executive reported hackers claiming access to one of its unreleased movies and demanding a ransom, although Disney stated they would not pay the ransom [59000]. (l) The government industry was indirectly mentioned in the articles as the National Health Service in Britain, a public service entity, faced challenges in getting its systems fully operational after the cyberattack [59000]. (m) The software failure incident did not directly relate to an industry not covered in the options provided.

Sources

The Fallout From a Global Cyberattack: 'A Battle We're Fighting Every Day' (Published 2017) - The New York Times - Published on: 2017-05-15
Article ID: 59000

Back to List