Ransomware: The key lesson Maersk learned from battling the NotPetya attack

Protection is important - but it's equally as important to ensure your recovery process is strong, says head of cybersecurity compliance at the shipping giant.
Written by Danny Palmer, Senior Writer

The extent of the cyberattack was so bad that it just didn't seem possible that something so destructive could have happened so quickly.

"I remember that morning – laptops were sporadically restarting and it didn't appear to be a cyberattack at the time but very quickly the true impact became apparent," said Lewis Woodcock, head of cybersecurity compliance at Moller-Maersk, the world's largest container shipping firm.

"The severity for me was really taken in when walking through the offices and seeing banks and banks of screens, all black. There was a moment of disbelief, initially, at the sheer ferocity and the speed and scale of the attack and the impact it had."

Speaking in a keynote session at CYBER UK 19 – a cybersecurity conference hosted by the UK's National Cyber Security Centre (NCSC) – Woodcock was reliving the events of 27 June 2017 when the shipping and logistics giant Maersk was an unintended victim of NotPetya ransomware.

SEE: Cyberwar predictions for 2019: The stakes have been raised

Developed as a disk-wiping cyber weapon by the Russian military and helped along by a leaked version of the NSA's EternalBlue hacking tool – which is the same exploit that powered the WannaCry ransomware outbreak, NotPetya's target was businesses in Ukraine – but the malware quickly got out of hand. Soon it was spreading around the world, taking down networks and causing billions of dollars in damage and lost revenue.

Headquartered in Denmark with hundreds of sites in countries across the globe, Maersk plays a huge role in global shipping, with one of its massive ships – each carrying up to 20,000 containers – arriving in a port somewhere around the world every 15 minutes.

The company was one of the most badly hit of those caught in the crossfire of NotPetya, with almost 50,000 infected endpoints and thousands of applications and servers across 600 sites in 130 countries.

Maersk had to balance the need to continue operating – despite the lack of IT – and recovering and rebuilding networks. In many cases, it was a manual process that took days and what was described at the time as a "serious business interruption" is estimated to have cost Maersk up to $300m in losses.

"That recovery operation really relied heavily on human resilience: we went about rebuilding our IT infrastructure over a period of about 10 days, during which time we were doing all we could to maintain normal business operations," Woodcock said.

"Every 15 minutes or so a container comes to port; you can imagine the human intervention, the manual processes put in place to try and keep operations running."

While Maersk did lose revenue, it pulled through thanks to what Woodcock described as "a whole company effort to recover" which was aided by input from partners, vendors and customers.

Looking back at NotPetya, Woodcock said it served as a wakeup call that not all cyberattacks are targeted and that organisations can find themselves the unintended victims of these events – businesses shouldn't approach their cyber defences as if hackers will specifically target them because in some attacks you could simply end up as collateral damage.

SEE: 10 tips for new cybersecurity pros (free PDF)

But while protecting networks and critical systems is the ultimate goal, a data recovery plan must also be in place, so in the event of the worst happening and critical services being knocked out, you can still operate.

A significant part of this, said Woodcock, is "that ability to really understand the core business processes" and know everything about the systems and applications which run the operation.

"From there you can really get the criticality of them and you can really understand how to protect and secure and also recover – crucially in that order," he said. "This really requires more of a balance between the preventative measures and also your recovery measures."

"Companies which have this real focus between these two and investment will have better standing against future threats," Woodcock said.

Almost two years on from NotPetya, ransomware remains a major threat to organisations which in some instances are losing millions after falling victim to attacks.

But despite the damage done by NotPetya and WannaCry before it, there are still fears that the world isn't prepared for the impact of another global ransomware outbreak.


Editorial standards