Microsoft cut off entirety of Ukraine from its network during NotPetya attacks
CISO Bret Arsenault says it was one of the worst episodes during his 10-year tenure

Microsoft was forced to disconnect the entirety of Ukraine from its network in order to mitigate the effects of the 2017 NotPetya ransomware attack, it has emerged.
Microsoft CISO Bret Arsenault revealed on Monday that the company "had seconds to make the decision" after being alerted that one of its vendor's devices had been infected by the ransomware back in June 2017.
NotPetya, a self-propagating strain of ransomware that masqueraded as the Petya virus, spread across major European businesses, encrypting data and destroying boot records to render systems unusable. This particularly vicious strain used the EternalBlue exploit leaked from the NSA, which was also responsible for the WannaCry attack just months prior.
Speaking at Microsoft Ignite in Orlando, Arsenault said the episode remains one of the worst during his 10-year tenure.
"June 27th 2017 at 4:13am," he said. "My phone went off, and I got a notice that one of our vendor's devices in Ukraine had been infected. This was right after WannaCry and what was known as Petya. We recognised right away that this was a problem, and we were worried about the infection spreading - this is what became known as NotPetya, which was vicious ransomware.
"We had seconds to make the decision, and so we cut off all of Ukraine from our network to limit any kind of impact that might happen. As you can imagine, June 27th is fiscal close, so anytime you mess with the network infrastructure... you put that at risk."
Meet Azure Arc, a Microsoft platform for those that want a bit of everything The most popular ransomware strains targeting UK businesses NotPetya was nastier than WannaCry ransomware, say experts
"That's the day that I learned the job is about choices," he added. "It's a difference between bad choices and worse choices - and I think I likely just made a bad choice."
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Arsenault also recalled a similar split-second decision prompted by Hurricane Maria, the deadly Category 5 hurricane that devastated many parts of Dominica, the US Virgin Islands, and, most applicable to Microsoft, Puerto Rico, which serves as a major processing hub for the company.
"Many people don't know that we have about 365 people there (Puerto Rico)... which is our first priority, but also run 13 critical business processes there. So we did a tabletop exercise - I don't know how many people know how to fly 8,000 gallons of fuel into three feet of water, but it's a pretty fun exercise to go through."
Responding to a question on how he stays positive, the CISO of one of the most targeted companies in the world admitted that it has become harder over the years.
"I try to smile. I've been doing this job for ten years, and I think when I took it over I started sleeping like a baby... I (now) wake up at two in the morning crying every night," he joked.
"But I am positive, I think some of the tools we saw (at Ignite) are amazing... they've reduced my time to resolve by up to 50% with no increase in headcount, and most importantly, the signal you have and the telemetry, combined with the artificial intelligence and machine learning that you use, is really what differentiates your ability relative to the bad guys.
"For the first time that I can remember in the 20 years I've been in this space and the ten years in this job, I believe that the defenders and the good guys actually have the advantage."
Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.
-
Cloudflare is cracking down on AI web scrapers
News Cloudflare CEO Matthew Prince said AI companies have been "scraping content without limits" - now the company is cracking down.
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attack
News A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.