Merck IT systems still crippled in Petya’s aftermath

Four days after its networks were infected, operations are still hamstrung at the pharmaceutical giant. U.S. employees have been reduced to keeping paper records of their work.
Merck's offices in Upper Gwynedd, Pa. (Montgomery County Planning Commission)

Four days after its networks were infected, computer systems at pharmaceutical giant Merck is still hamstrung by the Petya ransomware.

The company told its 70,000 employees on Tuesday to immediately cease all interactions with company networks, to refrain from turning on or rebooting any company computers or tablets, and to not use thumb drives. As company email was completely disabled, Merck supervisors disseminated instructions down the corporate ladder via copied and pasted text messages. The company did assure employees that human resource data had not been compromised.

Petya is technically ransomware, as it encrypts users’ files and demands bitcoin to access them. But unlocking files with a purchasable key appears impossible, leading cybersecurity researchers to conclude that Petya was designed to be destructive, rather than a scheme to make money. Petya’s creators are unknown, but the fact that Ukrainian government systems and Ukrainian companies were among the first victims has prompted Ukrainian government officials to publicly blame the Russian government, though Russian companies have also been affected.

It’s unclear how Merck was infected with Petya, which partly relies Eternal Blue, the leaked tool released by the mysterious hacker group Shadow Brokers and believed to be developed by the National Security Agency. While the majority of Merck employees are in the U.S., the company has a worldwide presence, including an office in Ukraine.


Merck’s plummeting productivity is hardly unique among Petya victims, and it’s clear the ransomware has caused a significant drop in productivity around the globe. Ukrainian government workers have said they’re reduced to only working via their smartphones. And on Wednesday, a representative for Maersk, the world’s largest shipping company, said that the company had temporarily ceased taking any new orders.

Since the attack, Merck has instructed its U.S. employees, largely comprised of a sales force scattered across the country, to run a low-fi operation. Employees have been communicating with clients exclusively via telephone and in-person meetings, along with keeping a paper record of their workdays. Those who work from regional offices and the company’s New Jersey headquarters are told to refrain from connecting to company wi-fi.

As a partial fix, the company has created a makeshift temporary email server, accessible only via web browser, where employees can set up a new account to at least send and receive emails with a Merck domain via their personal computers. That doesn’t give them access to old emails, though, and other functions, like Outlook calendar, aren’t accessible. The company hopes to merge the email accounts once the original email network is restored.

The company didn’t respond to request for comment, though it did tweet a statement on Wednesday, saying that “we believe we have contained the problem.”


Employees, however, have not been given an estimated date when Merck networks will be operational again. They have, however, been instructed to monitor the company’s Twitter account, though that account hasn’t tweeted about the attack since Wednesday.

Kevin Collier

Written by Kevin Collier

Kevin Collier is a reporter who covers cybersecurity, privacy, and politics. He lives in New York City.

Latest Podcasts