#Infosec2025: Cybersecurity Lessons From Maersk’s Former CISO

The 2017 ransomware attack on shipping company A P Moller Maersk marked a turning point for the cybersecurity industry, according to its former CISO Adam Banks.

The attack is estimated to have cost Maersk $700m, excluding any revenue losses. Following the attack, it was three months before the business was fully back online, Banks told an audience at Infosecurity Europe 2025. But, he said, it could well have been worse.

The $700m figure was, Banks said, the cost of the attack and the recovery. A stroke of luck, in the form of a power cut in Lagos, cut the firm’s recovery time by as much as four weeks.

Meanwhile, Maersk’s openness about what happened helped Banks and his team to bring in desperately needed resources from around the world to rebuild the company’s networks and systems.

Banks was taking part in a corporate photo shoot on Copenhagen’s waterfront when both his work and personal phones rang. At the third attempt, he opted to take the call.

The Maersk operations centre, based in the UK, had reported odd behaviour. Parts of the business that should have been waking up were not. Others that were at work were suddenly logging off.

With 35,000 sales agents, peaks and troughs in traffic were normal – but this was not that. Having checked for national holidays or unusual weather events, Banks made the decision to shut down the Maersk network.

Pulling the Plug

This was no small task – the company has around 120,000 employees, 16,500 servers and 65,000 user devices, and a $2m a year budget. The shutdown process took six to eight hours. The Copenhagen office, the first Maersk took offline, had just short of 3500 PCs.

This done, Banks called the group CEO to brief him on the situation. He then took two further steps. He sent his assistant to write down the phone numbers on a sheet of A4 paper; and dispatched a small team of his security analyst to a nearby café, to gather intelligence on the incident. It was critical to find out if Maersk was the attackers’ target.

“Maersk burns more fuel than Germany, so it could have been eco activists. Our largest customer is the US military. Did someone want to disrupt their plans? And our biggest competitor is the Chinese government,” he explained.

By 11am everyone had left the Copenhagen office, despite barriers and gates not working as the network was down. Next, Banks sent a support team into the building to check the PCs and unplug any that were switched off. Of the 3492 computers in Copenhagen, only eight were working.

Banks then put calls in to the CEOs of Microsoft and IBM: Microsoft for help with breaking the password set on the infected PCs; and IBM to ask for staff to be put on standby to help Maersk with recovery. At the time, Microsoft’s Satya Nadella told Banks that his was not the first such call of the day.

Microsoft was able to break the encryption, but with each device needing to be decrypted separately, this was not a practical recovery route. Banks was left looking for other options.

Read more from #Infosec2025: #Infosec2025: Ransomware Victims Urged to Engage to Take Back Control

NotPetya

It turned out that Maersk had been attacked by NotPetya – one of 7000 companies targeted because they did business with Ukraine.

At the time of the attack, Maersk was 65% on-premises and 45% in the cloud. In fact, one of its critical servers was scheduled to migrate to the cloud the following weekend.

As it was, Maersk lost not only access to its PCs, but also to critical Windows servers including those running Active Directory. Linux, mainframes and the storage area network were not infected, so recovery from backups was possible.

Banks faced rebuilding the entire Windows infrastructure from scratch. To make matters worse, communications over the VoIP network was impossible and the index cataloging the backups was on an infected server.

Then, luck turned in Maersk’s favor.

A 48-hour power outage in Lagos, Nigeria, had taken its Active Directory (AD) server offline, so it avoided infection.

“We had a full, unimpacted copy of Active Directory,” said Banks.

The local IT administrator carefully removed the hard drive and he, and the precious drive, were collected from Lagos by the Maersk corporate jet.

Recovery Mode

The Nigerian drive was the “yeast to rebuild the network,” Banks recalls. Maersk now moved into recovery mode.

Banks’ 2000 strong internal team, and wider team of technology staff, was boosted by 10,000 extra people from Deloitte and IBM. Banks was also able to “borrow” Azure cloud engineers from companies that were not affected by the attack to help.

Maersk’s decision to be open about the incident made this possible, he believes.

Even so, a period of 20-hour days followed, as Maersk recovered its systems. Sales and support teams were trained to set up PCs from a new, clean build so the technologists could focus on their work.

However, an early plan to distribute the build to offices by USB failed, as no stores had sufficient USBs in stock to meet Maersk’s needs. Instead, Banks used Microsoft, IBM and Deloitte’s networks to push the build out to their local offices, where it was transferred to USB sticks locally.

Banks also pulled together as much network bandwidth as he could to support the recovery effort.

It was not easy, but it worked. Banks stands by his decision to rebuild Maersk’s infected systems, rather than attempt to remove the malware and decrypt systems.

“Our choice was to do something radically different, or wait for protection from the antivirus community,” he explained.

This, he believes, saved around 8-10 days. Being able to recover Active Directory from the Lagos hard drive saved as much as four weeks more.

“It has a relatively happy ending, and Maersk is considered by the World Economic Forum as an exemplar of how to recover,” he concluded.