3rd Party Risk Management , Access Management , Cloud Access Security Brokers (CASB)

The Ransomware Files, Episode 4: Maersk and NotPetya

Malware Disguised as Ransomware Nearly Sank Logistics Giant Maersk
The Ransomware Files, Episode 4: Maersk and NotPetya

What if malware disguised as ransomware destroyed every copy of a company's Active Directory except for one?

That's exactly what happened to global shipping and logistics company Maersk on June 27, 2017. Maersk was one of dozens of organizations crippled by the NotPetya malware in one of the strangest and most devastating global cyberattacks.

Gavin Ashton was Maersk's identity and access management service owner at the time.

"We talk about milestones and project plans and three-, five-year plans," Ashton says. "And the thing about ransomware, or extortion, or whatever you want to call it these days, is it doesn't really care about any of that. It could literally strike this afternoon. That was our wake-up call."

Bharat Halai was Maersk's former head of identity and access management. The attack knocked out all of Maersk's copies of Active Directory. Halai's quick thinking uncovered the last remaining uncorrupted copy in Lagos, Nigeria, which had experienced a wide area network outage.

"I asked the head of IT and said, 'Can you just make sure you call every single site and ask them if any of them had a WAN outage at any point since the NotPetya event or before?'" Halai says. "Fortunately, the head of IT came back and said, 'Yes, we have one site that has had a WAN outage before the 27th of June.' I thought, 'Great.' Now, first thing to do, is back that baby up quick, quick before it goes."

In this episode of "The Ransomware Files," Ashton and Halai explain how the dedication and tenacity of the team at Maersk brought the company back from an IT systems meltdown. They also explain how they rectified weaknesses in Maersk's identity and access management systems that had caused NotPetya to spread so quickly.

"The Ransomware Files" is a podcast miniseries available on Spotify, Apple Podcasts, Google, Audible, Stitcher and more. I'm speaking with those who have navigated their way through a ransomware incident to learn how they fought back and what tips they can pass on to others. No ransomware infection is ever welcomed. But there's invaluable knowledge gained. There should be no shame in getting infected, and it's important to share the lessons.

If you enjoyed this episode of "The Ransomware Files," please follow it on a podcast platform and leave a review. Also, the show has a Twitter handle, @ransomwarefiles, that tweets news and happenings about ransomware.

If you would like to participate in this project and tell the information security community about your organization's brush with ransomware, please get in touch with me at jkirk@ismg.io or direct message me here on Twitter. I'm looking for other people, organizations and companies that can share their unique experiences for the benefit of all until ransomware, hopefully, becomes a thing of the past.


Speakers: Gavin Ashton, former identity and access management service owner, Maersk; Bharat Halai, former head of identity and access management, Maersk; Jeremy Kirk, executive editor, Information Security Media Group.

Production Coordinator: Rashmi Ramesh.

"The Ransomware Files" theme song by Chris Gilbert/© Ordinary Weirdos Music.

"Soviet March" by Shane Ivers.

Music by Uppbeat. (Tracks and license codes here.)


  • ABC News, "Petya cyber attack: Cadbury chocolate factory in Tasmania hit by ransomware," June 28, 2017.
  • CSO Online, "Petya ransomware and NotPetya malware: What you need to know now," Oct. 17, 2017.
  • Data Breach Today, "To Prevent Another WannaCry, Microsoft Patches Old OSs," May 15, 2019.
  • Dragos, "Spyware Stealer Locker Wiper: LockerGaga Revisited," March 2020.
  • Fortinet, "Key Differences Between Petya and NotPetya," July 9, 2017.
  • Gigamon, Exorcising the Ghost in the Machine, January 2022.
  • I, Global Intelligence for Digital Leaders, "Maersk: Springing back from a catastrophic cyber-attack," August 2019.
  • Gavin Ashton, "Maersk, Me & NotPetya," June 2020.
  • Malwarebytes, "Petya - Taking Ransomware To The Low Level," July 16, 2021.
  • Securelist, "Schroedinger’s Pet(ya)," June 27, 2017.
  • Securelist, "ExPetr/Petya/NotPetya is a Wiper, Not Ransomware," June 28, 2017.
  • U.S. Department of Justice, "Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace," Oct. 19, 2020.
  • The Washington Post, "NSA officials worried about the day its potent hacking tool would get loose. Then it did," May 16, 2017.
  • Wired, "The Untold Story of NotPetya, the Most Devastating Cyberattack in History," Aug. 22, 2018.
  • Wired, "The Leaked NSA Spy Tool That Hacked the World, March 7, 2018.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.