Background: In June 2017, the world witnessed one of the most devastating ransomware attacks in recent history: NotPetya. Unlike traditional ransomware, which locks users out of their systems until a ransom is paid, NotPetya was a wiper malware disguised as ransomware, designed to cause maximum disruption. It targeted companies globally by exploiting a known vulnerability in the Microsoft Windows operating system, wreaking havoc across multiple industries.
One of the most notable victims of the attack was Maersk, the global shipping and logistics giant. As a company that handles approximately 20% of global maritime container trade, any disruption to Maersk’s operations could have severe consequences for the international supply chain. The attack hit Maersk’s IT systems, taking down their shipping, logistics, and port operations worldwide. While the attack caused significant disruption, Maersk’s proactive cybersecurity practices ultimately played a critical role in mitigating what could have been a far worse outcome.
The Incident: On 27 June 2017, NotPetya infiltrated Maersk’s systems through a piece of infected accounting software that was widely used in Ukraine, where Maersk had operations. Once inside, the malware spread quickly across the company’s network, encrypting files and disabling thousands of computers in over 600 office locations worldwide. The malware also infected terminals in 76 ports operated by Maersk, causing a complete halt in global shipping operations.
In the wake of the attack, Maersk employees were left without access to email, phones, and key systems necessary for running their operations. For a company of this size and scope, this was a catastrophic event. However, Maersk’s investment in cybersecurity best practices—along with some unexpected good fortune—meant they were able to avoid complete disaster.
Proactive Cybersecurity Best Practices:
- Comprehensive Backup Systems: A key factor in Maersk’s successful recovery was the existence of a comprehensive, regularly updated backup system. This system was crucial, as the ransomware encrypted thousands of machines and corrupted the data across Maersk’s network. However, one critical domain controller in Ghana had escaped the malware’s reach due to a fortunate power outage. This isolated server became the foundation of the company’s recovery efforts. Maersk’s IT teams used the data from this backup to reconstruct their entire network, proving how essential it is to have redundant backups that are regularly tested and stored across different geographic locations.
- Incident Response Planning and Execution: Another pillar of Maersk’s successful response was their incident response plan. A well-documented, rehearsed incident response strategy is one of the most important cybersecurity practices any organisation can have, and Maersk was no exception. As soon as the attack was detected, Maersk’s IT teams immediately began shutting down systems to prevent further spread. A rapid response team, working around the clock, was assembled to restore critical systems. The speed and clarity with which Maersk responded to the attack limited the overall damage and allowed them to focus on recovery instead of scrambling for a solution. The company’s incident response framework was essential in ensuring that their team could act swiftly and efficiently.
- Global Redundancy and Decentralised Systems: Maersk’s vast global presence played a critical role in limiting the damage caused by the NotPetya attack. Their IT infrastructure was designed with geographic redundancy, meaning that different parts of the system were housed in various locations around the world. While the attack affected many of their main systems, not every server was hit simultaneously. This decentralisation helped Maersk recover data and provided critical system components that were essential for getting operations back on track.
- Crisis Communication Strategy: Maersk’s ability to manage communication during the crisis was another example of their preparedness. Despite losing access to their internal email systems, they quickly adopted alternative communication channels to keep their global teams informed. For example, employees turned to WhatsApp and other social media platforms to communicate, ensuring that teams remained coordinated. This improvisation was possible due to the company’s established communication protocols, highlighting the importance of flexibility in any crisis.
The Recovery: Maersk’s recovery was nothing short of impressive, considering the scale of the attack. Within 10 days, they had restored 4,000 of their 6,500 servers, 45,000 of their 49,000 PCs, and 2,500 of their 3,500 applications. Shipping operations resumed fully within this period, and Maersk was able to avoid further disruptions to the global supply chain.
The financial cost of the attack was significant, with estimates placing the losses at around $300 million in revenue due to disrupted operations. However, given the scale of the attack and the damage caused to other organisations, Maersk’s recovery was relatively swift. Many other victims of NotPetya, such as pharmaceutical giant Merck and FedEx’s TNT Express, suffered more prolonged and costly recovery efforts.
Lessons Learned: Maersk’s experience provides valuable lessons for businesses of all sizes:
- Regularly Updated Backups Are Crucial: Without the surviving backup in Ghana, Maersk’s recovery would have been much slower and more complex. Businesses should ensure that they have geographically dispersed, frequently updated backups, and that these backups are regularly tested for integrity.
- A Strong Incident Response Plan Saves Time and Resources: Maersk’s ability to rapidly respond to the attack was key to limiting its impact. Having a clear, documented plan that is regularly rehearsed enables teams to act quickly and effectively in the event of a cyber incident.
- Redundancy in IT Systems Provides Resilience: Maersk’s global IT infrastructure, with its decentralised and redundant systems, enabled the company to pull resources from unaffected regions to assist in recovery. This kind of infrastructure resilience can make the difference between full-scale collapse and a manageable recovery.
- Crisis Communication Plans Are Essential: The ability to maintain communication during an attack or major disruption can help avoid further chaos. Businesses must ensure that employees know how to communicate effectively even when primary systems are down.
Conclusion: Maersk’s handling of the NotPetya ransomware attack demonstrates how proactive cybersecurity practices—such as comprehensive backups, well-prepared incident response plans, and decentralised systems—can mitigate the impact of even the most severe cyberattacks. While the attack was costly, Maersk’s ability to restore operations within days prevented long-term damage to the company and the global supply chain. This case serves as a stark reminder that investing in cybersecurity best practices is not just a protective measure but a critical part of business resilience in the digital age.
Photos by Wolfgang Weiser and PortCalls Asia on Unsplash