Key Cybersecurity Lessons From Maersk’s Ex-CISO | #Infosec2025
▼ Summary
– The 2017 ransomware attack on Maersk cost the company $700 million and took three months to fully recover, though a power outage in Lagos reduced recovery time by four weeks.
– Maersk’s transparency about the attack enabled them to secure global resources, including 10,000 additional staff from Deloitte and IBM, to rebuild their systems.
– The attack, caused by NotPetya malware, targeted 7,000 companies doing business with Ukraine and forced Maersk to rebuild its Windows infrastructure from scratch.
– A stroke of luck occurred when an uninfected Active Directory server in Lagos provided a clean backup, crucial for restoring Maersk’s network.
– Maersk’s recovery strategy, including distributing a clean system build via partner networks, saved significant time and earned recognition as a model for cyberattack response.
The 2017 ransomware attack on shipping giant Maersk remains one of the most costly cyber incidents in corporate history, offering critical lessons for businesses worldwide. According to former CISO Adam Banks, the attack resulted in $700 million in direct recovery costs, with operations taking three months to fully restore. Speaking at a recent security conference, Banks revealed how quick thinking and unexpected luck helped mitigate what could have been an even greater disaster.
When unusual network activity first appeared, Banks immediately recognized something was wrong. After ruling out typical fluctuations, he made the bold decision to shut down Maersk’s entire global network—a massive undertaking given the company’s 120,000 employees, 16,500 servers, and 65,000 devices. The shutdown took hours, but it was necessary to contain the threat.
Investigations soon confirmed Maersk had fallen victim to NotPetya, a destructive ransomware strain that spread through Ukrainian software updates. The malware crippled Windows systems, including Active Directory servers, leaving the company unable to access critical infrastructure. Recovery seemed impossible—until an unlikely break came from an unexpected place.
A power outage in Lagos, Nigeria, had taken one of Maersk’s AD servers offline before the malware could infect it. This untouched server became the lifeline for recovery. The hard drive was retrieved via corporate jet, providing the clean data needed to rebuild the network. Without this stroke of luck, restoration could have taken weeks longer.
Rebuilding required an unprecedented effort. Banks mobilized 10,000 additional personnel from IBM and Deloitte, along with borrowed cloud engineers from unaffected companies. Maersk’s transparency about the attack helped secure these resources, proving that openness in crisis can be a strategic advantage.
Despite the challenges, Banks stands by his decision to rebuild rather than decrypt infected systems, a move that saved critical time. The recovery process involved distributing clean system builds through partner networks after initial USB distribution plans failed.
Today, Maersk is hailed as a model for cyber resilience, demonstrating how decisive leadership, collaboration, and even sheer luck can turn a catastrophic breach into a recovery success story. The incident underscores the importance of preparedness, rapid response, and adaptable recovery strategies in an era where cyber threats continue to escalate.
(Source: Infosecurity Magazine)
