Incident Responsecritical

NotPetya Recovery: Maersk Rebuilds its Entire Global IT in 10 Days

Shipping giant Maersk lost its entire global IT infrastructure to NotPetya in 90 minutes. It rebuilt 45,000 PCs, 4,000 servers, and 2,500 applications in 10 days using a single surviving domain controller found in Ghana during a power cut.

Maersk / NotPetya·2017·2 min read

Background

Maersk is the world's largest container shipping company, moving approximately 20% of global seaborne trade. NotPetya encrypted every Windows machine reachable from the company's network within 90 minutes on June 27, 2017. The company had no functioning IT infrastructure.

The Attack

Within 90 minutes of the NotPetya worm reaching Maersk's network, 45,000 PCs, 4,000 servers, and 2,500 applications were encrypted. All 76 port terminals worldwide lost system access and switched to manual operations. Maersk's global shipping network effectively stopped. The recovery challenge: all Active Directory domain controllers were encrypted — without one, they could not rebuild the domain. Security teams searched globally for a domain controller that might have been offline during the attack. They found one in Ghana that had been offline due to a power cut. It was flown to the UK and used to rebuild the entire Microsoft domain.

Response

Maersk rebuilt its entire IT infrastructure in 10 days — described by Forbes as "one of the most incredible logistical feats in the history of IT." The company redeployed a new PC every 20 seconds at peak recovery. Operations were maintained using paper and phone during recovery. Maersk CEO Soren Skou later described the experience publicly.

Outcome

Maersk's recovery is studied as a masterclass in large-scale IT disaster recovery. The Ghana domain controller became famous in security incident response circles. NotPetya cost Maersk $300 million. The recovery demonstrated that a well-executed manual response can maintain critical operations even when IT is completely unavailable.

Key Takeaways

  1. Maintain at least one offline, geographically separated backup of Active Directory that cannot be reached by network-propagating ransomware
  2. Critical operational procedures must have paper-based manual fallbacks — technology failure cannot halt operations entirely
  3. Rapid large-scale recovery requires pre-planned procedures and pre-provisioned resources — 10-day rebuilds require preparation
  4. NotPetya demonstrated that third-party software updates can wipe your entire IT estate in 90 minutes — supply chain security is existential

How to Prevent This

All guides
advanced

Maintain an offline, isolated backup of Active Directory

Active Directory is the single most critical system in most Windows enterprise environments — it controls authentication for every user, every server, and every service. NotPetya encrypted every domain controller at Maersk simultaneously, making recovery impossible without an offline backup. Maersk found one domain controller in Ghana that had been powered off during a power cut — it was flown to the UK and used to rebuild the entire domain. You should not rely on a power cut in Ghana. Maintain at least one offline, network-isolated backup of Active Directory that is physically separate from your main environment and restored to a known-good state at least monthly.

See: Maersk NotPetya RecoveryIncident Response
NotPetyarecoveryActive Directorydomain controllerdisaster recovery

More in Incident Response

2013critical

Target Breach IR Failure: Security Team Saw the Alerts and Did Nothing

2 min readIncident Response
2017high

GitLab Production Database Deletion: 5 Failed Backups and a Live Stream

2 min readIncident Response
2019high

British Airways GDPR Fine: The First Major Enforcement Sets the Tone

2 min readIncident Response