Microsoft cut off entirety of Ukraine from its network during NotPetya attacks
CISO Bret Arsenault says it was one of the worst episodes during his 10-year tenure

Microsoft was forced to disconnect the entirety of Ukraine from its network in order to mitigate the effects of the 2017 NotPetya ransomware attack, it has emerged.
Microsoft CISO Bret Arsenault revealed on Monday that the company "had seconds to make the decision" after being alerted that one of its vendor's devices had been infected by the ransomware back in June 2017.
NotPetya, a self-propagating strain of ransomware that masqueraded as the Petya virus, spread across major European businesses, encrypting data and destroying boot records to render systems unusable. This particularly vicious strain used the EternalBlue exploit leaked from the NSA, which was also responsible for the WannaCry attack just months prior.
Speaking at Microsoft Ignite in Orlando, Arsenault said the episode remains one of the worst during his 10-year tenure.
"June 27th 2017 at 4:13am," he said. "My phone went off, and I got a notice that one of our vendor's devices in Ukraine had been infected. This was right after WannaCry and what was known as Petya. We recognised right away that this was a problem, and we were worried about the infection spreading - this is what became known as NotPetya, which was vicious ransomware.
"We had seconds to make the decision, and so we cut off all of Ukraine from our network to limit any kind of impact that might happen. As you can imagine, June 27th is fiscal close, so anytime you mess with the network infrastructure... you put that at risk."
Meet Azure Arc, a Microsoft platform for those that want a bit of everything The most popular ransomware strains targeting UK businesses NotPetya was nastier than WannaCry ransomware, say experts
"That's the day that I learned the job is about choices," he added. "It's a difference between bad choices and worse choices - and I think I likely just made a bad choice."
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Arsenault also recalled a similar split-second decision prompted by Hurricane Maria, the deadly Category 5 hurricane that devastated many parts of Dominica, the US Virgin Islands, and, most applicable to Microsoft, Puerto Rico, which serves as a major processing hub for the company.
"Many people don't know that we have about 365 people there (Puerto Rico)... which is our first priority, but also run 13 critical business processes there. So we did a tabletop exercise - I don't know how many people know how to fly 8,000 gallons of fuel into three feet of water, but it's a pretty fun exercise to go through."
Responding to a question on how he stays positive, the CISO of one of the most targeted companies in the world admitted that it has become harder over the years.
"I try to smile. I've been doing this job for ten years, and I think when I took it over I started sleeping like a baby... I (now) wake up at two in the morning crying every night," he joked.
"But I am positive, I think some of the tools we saw (at Ignite) are amazing... they've reduced my time to resolve by up to 50% with no increase in headcount, and most importantly, the signal you have and the telemetry, combined with the artificial intelligence and machine learning that you use, is really what differentiates your ability relative to the bad guys.
"For the first time that I can remember in the 20 years I've been in this space and the ten years in this job, I believe that the defenders and the good guys actually have the advantage."
Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.
-
Using DeepSeek at work is like ‘printing out and handing over your confidential information’
News Thinking of using DeepSeek at work? Think again. Cybersecurity experts have warned you're putting your enterprise at huge risk.
-
Can cyber group takedowns last?
ITPro Podcast Threat groups can recover from website takeovers or rebrand for new activity – but each successful sting provides researchers with valuable data
-
Average ransom payment doubles in a single quarter
News Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new group
News The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
-
Google cyber researchers were tracking the ShinyHunters group’s Salesforce attacks – then realized they’d also fallen victim
News In an update to an investigation on the ShinyHunters group, Google revealed it had also been affected
-
Nearly one-third of ransomware victims are hit multiple times, even after paying hackers
News Many ransomware victims are being hit more than once, largely thanks to fragmented security tactics
-
75% of UK business leaders are willing to risk criminal penalties to pay ransoms
News A ransom payment ban is a great idea - until you're the one being targeted...
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
News The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year