Recovering from NotPetya – the DLA Piper Story

DLA Piper, a global law firm with a presence in more than 40 countries, was hit with the NotPetya ransomware attack in June 2017. It caused significant damage to its global IT infrastructure (hat tip, ITNews):
– every data centre and Windows-based server was impacted
– due to having a flat network structure, NotPetya was able to spread very quickly
– the firm had no email for 4 days
– the IT team put in 15,000 hours of paid overtime in the first three weeks in order to recover
– the first two weeks after the attack were spent trying to find salvageable equipment, but eventually the decisions was made to just start afresh
– the IT team re-created the entire infrastructure in the third week. Good backups made this possible.

In order to decrease the likelihood of a future attack having such widespread impact, DLA Piper is now:
– segmenting its network, isolating and separating offices
– setting up cloud-based versions of core systems in order to provide a live fall-back
– re-thinking its post-attack mitigation strategy, in light of its experiences

In the Excel spreadsheet above, I run the numbers to try to calculate the overall cost. For the direct costs of recovery, assuming a fully-burdened cost per hour of labour at $150, I get $2.25 million. This does not include lost productivity for partners and lawyers who were unable to work, or who had to find workarounds during the post-attack weeks. There is no doubt that this cost of lost productivity was many, many times the cost of the IT team.

Overall, a very costly experience for DLA Piper. Good to see that various mitigations are being put in place to ensure this never happens again to the same extent.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s