What we can learn from Maersk’s Business Crisis

7 mistakes we learned from Maersk’s business crisis

It was 3 years back when Maersk, the biggest container shipping company, was facing one of their biggest challenges – to overcome the business interruption caused by Notpetya ransomware.  Even though this incident took place 3 years ago, there is much we can learn from the crisis which could absolutely help not only the logistic and shipping industry, but other businesses as well, from running into the same disaster and suffering the same fate.


On June 17 of 2017, Notpetya exploded on Maersk network of servers and PCs, 17 of their 76 terminals went dead.  Gates were down.  Cranes were frozen.  Hundreds of trucks were seen stretching for miles outside the terminal gates.  This attack had cost the shipping giant USD 300 million, and what can we learn from it? 

Let us take a look at some facts below.

1.     Maersk reinstalled 4,000 servers and 45,000 PCs.

2.     NotPetya came through via a Ukraine financial software update, and spreads across the whole organization.

3.     This virus attack was a previously unseen type of malware, and updates and patches applied to both the Windows systems and our antivirus were not an effective protection in this particular case,” Maersk said in a statement.

4.     The ransomware spread rapidly by utilizing the leaked US National Security Agency (NSA) exploit EternalBlue, which targets Microsoft Windows systems.

5.     They had located backups of almost all of Maersk’s individual servers, dating from between three and seven days prior to NotPetya’s onset.

6.     But no one could find a backup for one crucial layer of the company’s network: its domain controllers, the servers that function as a detailed map of Maersk’s network and set the basic rules that determine which users are allowed access to which systems.

7.     Maersk’s 150 or so domain controllers were programmed to sync their data with one another, so that, in theory, any of them could function as a backup for all the others. But that decentralized backup strategy hadn’t accounted for one scenario: where every domain controller is wiped simultaneously. “If we can’t recover our domain controllers,” a Maersk IT staffer remembers thinking, “we can’t recover anything.”

8.     At some point before NotPetya struck, a blackout had knocked the Ghanaian machine offline, and the computer remained disconnected from the network. It thus contained the singular known copy of the company’s domain controller data left untouched by the malware—all thanks to a power outage.

Facts in Simple Words

 

Lessons to learn from Maersk’s Disastrous Facts

#1 Ransomware can spread very fast and very far in very short period of time.

 

 

4,000 servers and 45,000 PCs got wrecked in a matter of hours.  Do NOT underestimate ransomware and its ability to penetrate and damage your business.  Be prepared with your Business Continuity and Disaster Recovery Plans.

 

The only way to remove ransomware is to reformat the hard drive and reinstall the server or PC.

 

#2 Updates from your software or service provider can be injected with malware/ransomware.

 

 

Besides RDP brute force attack and Phishing emails, ransomware can attack your system via updates even from reputable software and service providers.

 

#3 Maersk said it all “…antivirus (program) were not an effective protection…

 

 

Don’t be content and complacent with just Anti-Virus alone.  When it failed, which happened in most ransomware incidents, Disaster Recovery and Business Continuity is your only hope.

 

#4 The ransomware was exploiting a vulnerability in Windows 7

 

 

No one knows what other vulnerabilities are within Windows, including Microsoft, until disaster happens.

 

#5 Maersk has lost 3 to 7 days of backups for their servers

 

 

Do you even have 3 to 7 days of backups?  If you do, are they protected from the reach of ransomware?  If not, time to learn more about Offline Backup, and how it can help protect your backups.

 

#6 & #7 Maersk’s backup for Domain Controls is having 150 of them synchronizing among themselves.

 

 

Synchronization is NOT Backup.  It’s great redundancy for hardware failure, but on the other hand, it is also the perfect setup for ransomware to rampage your entire system.

 

 

#8 Maersk was saved by an Offline Domain Control which is not connected to the network due to power outage.

 

An Offline Copy of the Domain Controller is the key to allow Maersk to recover.  This is evidence of how Offline Backup is the only way to keep ransomware from encrypting your backups.

 

National Cyber Security Centre (NCSC), the organisation of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats, has quoted:

“The NCSC has seen numerous incidents where ransomware has not only encrypted the original data on-disk, but also the connected USB and network storage drives holding data backups. Incidents involving ransomware have also compromised connected cloud storage locations containing backups.

NCSC advice on Offline Rule:

The purpose of an ‘offline backup’ (sometimes called a ‘cold backup’) is to remain unaffected should any incident impact your live environment. You can do this by:

·       only connecting the backup to live systems when absolutely necessary

·       never having all backups connected (or ‘hot’) at the same time

With at least one backup offline at any given time, an incident cannot affect all of your backups simultaneously.

Leave a Reply

Your email address will not be published. Required fields are marked *