back to article NotPetya ransomware attack cost us $300m – shipping giant Maersk

The world's largest container shipping biz has revealed the losses it suffered after getting hit by the NotPetya ransomware outbreak, and the results aren't pretty. The malware surfaced in Ukraine in June after being spread by a malicious update to MeDoc, the country's most popular accounting software. Maersk picked up an …

  1. Chris Miller

    "He says he learned that there was nothing that could have been done to stop the attack"

    Because a thing seems difficult for you, do not think it impossible for anyone to accomplish.

    Marcus Aurelius

    1. GrapeBunch

      Perhaps what they actually said was "there was nothing that could be done to stop an attack by a determined and skillful cracker targeting only our systems".

      Which was not what happened, eh. Even then, I'd doubt it.

    2. Anonymous Coward
      Anonymous Coward

      Stopping an attack once it begun, and is spreading very quickly, may not be that easy, especially when some upper managers don't like some systems being brought down to protect them, and they handle and monitor a lot of activities worldwide, and IT doesn't have a clear understanding of what's happening and fears disruptions. Mersk is not Facebook - if the latter halts nothing really happens, but when one of the biggest goods movers is unable to move them, ships can't load or unload, cargo can't be sorted, is a far different issue.

      Probably in their situation they really had not the right policies to assess the situation, and stop it quickly enough and activate a contingency plan. Hope they learnt.

      And hope it taught many other companies, that even if IT is not their core business, it's at the core of their business anyway.

  2. Anonymous Coward
    Anonymous Coward

    Easy to mitigate

    -Patch your o/s monthly

    -Regularly patch your Apps that open files (word/pdf etc) regularly

    -Don't run an o/s or app that is no longer in patching support

    - Don't let Apps connect to the internet to pull down their own updates in an Enterprise environment - test updates in a sandbox first then use your software deployment tools to push out tested updates

    -Run anti-virus & update hourly and AV scan on demand all files

    -Scan incoming email using AV and block .exe attachments

    -Scan and block sites when web browsing using a web proxy and AV scanner

    -Set web browsers to block adverts and flash

    -Use a localhosts file to sinkhole malware and advert sites to 127.0.0.1

    1. Tim99 Silver badge
      Trollface

      Re: Easy to mitigate

      Did you forget: -Get rid of Windows?

      1. The Original Steve
        Mushroom

        Re: Easy to mitigate

        "Did you forget: -Get rid of Windows?"

        Did you forget - they need to be able to do work from these computers... ;)

        1. Doctor Syntax Silver badge

          Re: Easy to mitigate

          "Did you forget - they need to be able to do work from these computers... ;)"

          Did you forget? They weren't able to.

    2. o p

      Re: Easy to mitigate

      Not0etya used afmin logins. Not vulnerabilities.

      It was installed by sysadmins. It did not use internet access.

      None of your procedures would help. Not a bit.

    3. Anonymous Coward
      Anonymous Coward

      Re: Easy to mitigate

      One thing I can guarantee - if you think stopping all malware is "Easy to mitigate" then you either don't have much experience in a large company or you have your head buried in the sand. People who do things right definitely do not find it easy and will have a dedicated Security team or at least a dedicated security officer who have a full time job just managing the security of the enterprise.

      If it was easy then they would be out of a job.

      Anyone who has to do the security bit on the side to their main sysadmin job or it manager job will probably tell you that they fully understand the issue and it is a constant battleground and a lot of it involves crossing their fingers, or they are clueless.

      Much of it the same for disaster recovery or general business continuity not easy at all, even if on paper you can convince yourself it is easy anything other than an SME or smaller will probably be hoping nothing major happens rather than being truly convinced that they can cope with any eventuality.

      If I was to employ someone in IT security I would be looking for someone who says" it is difficult but I can ensure that xyz issues are covered and this is my strategy for emerging threats .. etc" rather than someone who says "it's easy, I can ensure you never have an issue" because I would know they don't have a clue.

    4. EnviableOne

      Re: Easy to mitigate

      None of this owuld have heleped,

      what they should have done is use a decent piece of accounting software not the swiss cheese Ukranian one they did.

      1. Anonymous Coward
        Anonymous Coward

        "not the swiss cheese Ukranian one they did"

        Probably their Ukrainian subsidiaries and other connected businesses didn't have much choice. Some accounting and tax reports are often very country-specific - because of the usual, complex local regulations.

      2. razorfishsl

        Re: Easy to mitigate

        It's like China ..

        You MUST USE the local government supplied software, don't use it , you are out of business.

        The fact that it is supplied from fixed ip addresses over Http connections & auto installs & updates , has nothing to do with it.

        Boy..... is a reckoning coming to China , once the malware writers start doing research into local government offices and their pisspoor requirements of "nepotism software" they force on local businesses.

    5. Anonymous Coward
      Anonymous Coward

      Use a localhosts file to sinkhole

      What's the web proxy for? You can route anyway all web traffic through the proxy, even for those users who try to bypass it (although in my experience often those are the sysadmins themselves). In some environments, the proxy shouldn't backlist, it should whitelist and block everything else.

  3. fidodogbreath

    He says he learned was told by the people who had f-cked up that there was nothing that could have been done to stop the attack...

    FTFY

    1. Mephistro
      Happy

      He says he learned was told by the people who had f-cked up that there was nothing that could have been done to stop the attack with the kind of funding the IT dept. had. The three IT guys were very vocal about it!

      Fixed!

  4. Anonymous Coward
    Facepalm

    Medoc: PCI DSS Level 1 Compliant

    Medoc: 'PCI DSS Level 1 Compliant, the highest level of data and payment protection'

    'NotPetya initially attacks via a phishing email'

    1. Anonymous South African Coward Bronze badge

      Re: Medoc: PCI DSS Level 1 Compliant

      Must be a really good phish...

    2. VinceH

      Re: Medoc: PCI DSS Level 1 Compliant

      I think that's the wrong company - if you look at their main page you'll see this disclaimer at the top:

      Please note that Medoc Computers Ltd has no connection with the Ukrainian company 'MEDoc'.

  5. Tigra 07
    Meh

    Funny that as we're still getting huge delays from Maersk containers in August

    And they were trying to profit from the malware outbreak in July by charging extra for a "guaranteed" delivery slot, which they still failed to deliver on.

    Bunch of bastards

  6. Prst. V.Jeltz Silver badge

    "In the last week of the quarter we were hit by a cyber-attack" spoken by a business man . Like it wouldnt have been so bad mid quarter?

    1. Gazareth

      Well, the statement's part of an earnings report for the quarter, so it's logical to be phrased that way.

  7. Gordon Pryra

    He says he learned that there was nothing that could have been done to stop the attack

    Who the hell is he listening to in his IT department?

    1. Mr Sceptical
      Megaphone

      Re: He says he learned that there was nothing that could have been done to stop the attack

      The cleaner?

      1. Nolveys

        Re: He says he learned that there was nothing that could have been done to stop the attack

        The cleaner?

        I'm surprised more places don't combine janitorial and IT. Same level of respect, same pay and almost the same work.

    2. EJ

      Re: He says he learned that there was nothing that could have been done to stop the attack

      Listening to the folks who should have tightened up the company's defenses, but didn't, so instead of copping to their failures decided to frame it as impossible to defend against.

      Time to pony up for an independent vulnerability assessment and get the real story, Maersk.

  8. Fatman
    Joke

    Maersk hit by NotPetya

    They have a unique ability to rid the world of the scum that created/distributed this malware.

    Once you find those bastards, lock them into a shipping container, and have an 'at sea' accident.

    "Oops, that loose container fell from the ship!!"

    "No big deal, it is only cargo!"

    1. Doctor Syntax Silver badge

      Re: Maersk hit by NotPetya

      "Once you find those bastards, lock them into a shipping container, and have an 'at sea' accident."

      They don't even need an accident. Just park it in some odd corner of a large depot and quietly delete the container's records from the system.

      1. Anonymous Coward
        Anonymous Coward

        Re: Maersk hit by NotPetya

        NotPetya did that already.

  9. Doctor Syntax Silver badge

    "But with this and my skills, I had no intuitive idea on how to move forward.”

    So, having no intuitive (?or any other) idea of what to do he took charge.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon