Microsoft cut off entirety of Ukraine from its network during NotPetya attacks

published 4 November 2019

Microsoft was forced to disconnect the entirety of Ukraine from its network in order to mitigate the effects of the 2017 NotPetya ransomware attack, it has emerged.

Microsoft CISO Bret Arsenault revealed on Monday that the company "had seconds to make the decision" after being alerted that one of its vendor's devices had been infected by the ransomware back in June 2017.

NotPetya, a self-propagating strain of ransomware that masqueraded as the Petya virus, spread across major European businesses, encrypting data and destroying boot records to render systems unusable. This particularly vicious strain used the EternalBlue exploit leaked from the NSA, which was also responsible for the WannaCry attack just months prior.

Speaking at Microsoft Ignite in Orlando, Arsenault said the episode remains one of the worst during his 10-year tenure.

"June 27th 2017 at 4:13am," he said. "My phone went off, and I got a notice that one of our vendor's devices in Ukraine had been infected. This was right after WannaCry and what was known as Petya. We recognised right away that this was a problem, and we were worried about the infection spreading - this is what became known as NotPetya, which was vicious ransomware.

"We had seconds to make the decision, and so we cut off all of Ukraine from our network to limit any kind of impact that might happen. As you can imagine, June 27th is fiscal close, so anytime you mess with the network infrastructure... you put that at risk."

Meet Azure Arc, a Microsoft platform for those that want a bit of everything The most popular ransomware strains targeting UK businesses NotPetya was nastier than WannaCry ransomware, say experts

"That's the day that I learned the job is about choices," he added. "It's a difference between bad choices and worse choices - and I think I likely just made a bad choice."

Arsenault also recalled a similar split-second decision prompted by Hurricane Maria, the deadly Category 5 hurricane that devastated many parts of Dominica, the US Virgin Islands, and, most applicable to Microsoft, Puerto Rico, which serves as a major processing hub for the company.

"Many people don't know that we have about 365 people there (Puerto Rico)... which is our first priority, but also run 13 critical business processes there. So we did a tabletop exercise - I don't know how many people know how to fly 8,000 gallons of fuel into three feet of water, but it's a pretty fun exercise to go through."

Responding to a question on how he stays positive, the CISO of one of the most targeted companies in the world admitted that it has become harder over the years.

"I try to smile. I've been doing this job for ten years, and I think when I took it over I started sleeping like a baby... I (now) wake up at two in the morning crying every night," he joked.

"But I am positive, I think some of the tools we saw (at Ignite) are amazing... they've reduced my time to resolve by up to 50% with no increase in headcount, and most importantly, the signal you have and the telemetry, combined with the artificial intelligence and machine learning that you use, is really what differentiates your ability relative to the bad guys.

"For the first time that I can remember in the 20 years I've been in this space and the ten years in this job, I believe that the defenders and the good guys actually have the advantage."

Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.