More than 97% of the Windows desktops that were suddenly disrupted a week ago by a problematic software update from CrowdStrike are back online, according to the cybersecurity company’s top executive, but the pain from the worldwide outage will continue to be felt.
In a message on LinkedIn, CrowdStrike CEO George Kurtz wrote that the vendor’s recovery efforts were helped by “the development of automatic recovery techniques and by mobilizing all our resources to support our customers.”
Microsoft estimated that in total, 8.5 million Windows PCs and other devices – fewer than 1% of all Windows machines – were put out of commission and giving the Blue Screen of Death (BSOD) after the faulty update was sent to CrowdStrike’s Falcon sensors. Linux and Mac devices weren’t affected by the update.
To the – relatively – few users still working to get back online, Kurtz wrote that the company “will not rest until we achieve full recovery. At CrowdStrike, our mission is to earn your trust by safeguarding your operations. I am deeply sorry for the disruption this outage has caused and personally apologize to everyone impacted.”
In a preliminary post-incident review (PIR) on July 24, Kurtz wrote that its Content Validator tool, which is a key part of a multi-step update testing process, validated a template instance that had problematic content that triggered the Windows outage to be deployed into production. The Content Validator should have caught the problem, he wrote.
CrowdStrike issued a fix and the vendor and Microsoft worked to bring systems back up, but it’s taken some devices longer to get back online.
A Continuing Problem
The disruption continues in several ways. Among the hardest hit industries were financial services, health care, emergency services and airlines. Most airlines were able to recover within a couple of days, but Delta has taken the longest to get back to normal. On July 22, four days after the crash, Delta canceled 1,160 flights, according to USA Today, and the number has steadily decreased, dropping to 47 on July 25.
However, Delta – the world’s largest airline – will now have to deal with a U.S. Transportation Department investigation, with Transportation Secretary Pete Buttigieg saying in a post on X (formerly Twitter) that he wants to “ensure the airline is following the law and taking care of its passengers during continued widespread disruptions. All airline passengers have the right to be treated fairly, and I will make sure that right is upheld.”
Delta said in a statement it is trying to accommodate passengers whose flights were canceled or delayed, including paying the costs incurred by customers who paid for other means of travel. It also said the airline would continue to offer meal vouchers, ground transportation, and hotel accommodations to passengers “whose travel has been disrupted with canceled or significantly delayed flights.”
Heavy Losses, But Little Insurance Help
Customers impacted by the situation also will have to navigate the cyber insurance waters. Parametrix, whose business includes cloud insurance services, said in a report that U.S. Fortune 500 companies – about a quarter of which were affected – will sustain losses of as much as $5.4 billion. That said, cyber insurance policies likely will only cover 10% to 20% of that cost “due to many companies’ large risk retentions, and to low policy limits relative to the potential outage loss.” Parametrix wrote.
The outage “tells us more about the ways that insurers and reinsurers can diversify their cyber risk portfolios to minimize the potential impacts of systemic cyber risk,” said Jonatan Hatzor, co-founder and CEO of Parametrix. “However, our analysis does not show the whole diversification picture. A cyber insurer focused on very large companies will certainly suffer a much greater CrowdStrike loss relative to premium than one with a large SME book.”
The headaches aren’t only reserved for users. Congress wants CrowdStrike’s Kurtz to testify at a hearing, saying in a letter that “Americans deserve to know in detail how this incident happened and the mitigation steps CrowdStrike is taking.”
$10 Gift Cards not Helping
Another headache has been the $10 Uber Eats gift card sent to staff members and partners who helped to fix the issue and get the affected systems brought back up. CrowdStrike reportedly in an email told them that the company understood that the outage caused extra work and headaches. Some were not impressed.
On Reddit, one person wrote that “it would have been better to not give people anything, but now Crowdstrike is suggesting the hours people invested in fixing their mistake is only worth $10?”
“Is this a sorry we made you log 40+ hours of emergency hours fix so here is less than half a lunch on us? Seriously, talk about insulting,” another wrote.
One person wrote, “I’ll take whatever I can get, I guess. Can I get a hat too? I want to wear it with my Solarwinds shirt. I drape myself in my horrors.”
More Scammers Jump Into the Fray
The chaos created by the crash gave cybercriminals an opening to run phishing and myriad other scams in hopes of stealing money or information from victims by posing as tech support personnel from CrowdStrike or other companies or promising fixes for the problem.
CrowdStrike researchers identified a campaign in which a bad actor is using a phishing domain that includes the company’s name and Office 365 to impersonate CrowdStrike and deliver malicious ZIP and RAR files containing a Microsoft Installer loader. If the target opens the file, the loader executes Lumma Stealer – an information-stealing malware – packed with CypherIt, a heavily obfuscated loader used to hinder static analysis.
Lumma Stealer is used to gather data from browsers, such as credentials, cookies and browser extensions. The researchers added that based on the build timestamp, the threat actor most likely built the sample the day after the problem content update was identified and the fix deployed.