Corvus Insights Blog | Smart Cyber Insurance

Global IT Outages Caused by CrowdStrike Software Update

Written by Corvus Threat Intel & Risk Advisory | 08.13.24

On July 19, 2024, the world woke up to a massive IT outage that affected numerous industries across the globe. The culprit? A faulty software update from cybersecurity firm CrowdStrike. As the situation is ever-evolving, we will continue to update this article as new information becomes available.

A Breakdown of the CrowdStrike Software Incident

CrowdStrike, a leading provider of cloud-native cybersecurity solutions, inadvertently pushed out a defective update to its Falcon platform, causing Windows machines running the affected software to crash. This has resulted in widespread disruptions across a number of sectors including airlines, finance, healthcare, and media.

What Caused the CrowdStrike Outage?

Crowdstrike issued a statement and CrowdStrike CEO George Kurtz alternatively confirmed that the issue stemmed from a "defect found in a single content update for Windows hosts". He emphasized that this was not a security incident or cyberattack and that Mac and Linux systems were unaffected.

The Impact to Various Industries

The outage had far-reaching consequences:

  1. Travel
    • Major airlines, including United, American, Delta, and Ryanair, experienced significant delays and cancellations.
  2. Healthcare
    • Hospitals in several countries had to switch to manual processes.
  3. Banking
    • Financial institutions worldwide reported service disruptions.
  4. Media
    • Some broadcasters, including Sky News in the UK, were forced off the air.

The Resolution

CrowdStrike has identified the issue and deployed a fix. However, many affected systems require manual intervention to resolve the problem. If your systems are still crashing and unable to stay online to receive the Channel File Changes, the following steps can be used to workaround this issue:

Workaround Steps for individual hosts:

  • Reboot the host to give it an opportunity to download the reverted channel file.  If the host crashes again, then:
  • Boot Windows into Safe Mode or the Windows Recovery Environment
  • Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
  • Locate the file matching “C-00000291*.sys”, and delete it. 
  • Boot the host normally.

Note: If you use Bitlocker, please ensure you have the recovery key before initiating this process.

Microsoft has also released some recovery tools to expedite the resolution process for IT teams and admins. See more details here.

 

⚠️ Phishing ⚠️

Be on the lookout for phishing attempts or scams purporting to be Crowdstrike. There have already been a number of impersonating domains registered within the past 24 hours designed to look like Crowdstrike and will likely take advantage of the situation. All communications to CrowdStrike should be addressed to support@crowdstrike.com or a trusted CrowdStrike contact.

 

For Updates on the Crowdstrike Incident

In addition to this article, please monitor the following sources for the most up-to-date information:

Customer Communications

CrowdStrike customers can get the latest information in the Support Portal and/or through a public remediation guidance page:

https://supportportal.crowdstrike.com/s/article/Tech-Alert-Windows-crashes-related-to-Falcon-Sensor-2024-07-19

 

Customer Technical Support:

Reach out to support@crowdstrike.com if further assistance is needed.

 

This summary and its contents are intended for general guidance and informational purposes only. This summary is under no circumstances intended to be used or considered as specific insurance or information security advice. This summary is not designed to be comprehensive and it may not apply to your particular facts and circumstances. Consult as needed with your IT Department or professional advisers.

This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy issued by Travelers or Corvus. It is not a representation that coverage does or does not exist for any particular claim or loss under any such policy. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy provisions, and any applicable law. Availability of coverage referenced in this document can depend on underwriting qualifications and state regulations.