Recovering from NotPetya – the DLA Piper Story

DLA Piper, a global law firm with a presence in more than 40 countries, was hit with the NotPetya ransomware attack in June 2017. It caused significant damage to its global IT infrastructure (hat tip, ITNews):
– every data centre and Windows-based server was impacted
– due to having a flat network structure, NotPetya was able to spread very quickly
– the firm had no email for 4 days
– the IT team put in 15,000 hours of paid overtime in the first three weeks in order to recover
– the first two weeks after the attack were spent trying to find salvageable equipment, but eventually the decisions was made to just start afresh
– the IT team re-created the entire infrastructure in the third week. Good backups made this possible.

In order to decrease the likelihood of a future attack having such widespread impact, DLA Piper is now:
– segmenting its network, isolating and separating offices
– setting up cloud-based versions of core systems in order to provide a live fall-back
– re-thinking its post-attack mitigation strategy, in light of its experiences

In the Excel spreadsheet above, I run the numbers to try to calculate the overall cost. For the direct costs of recovery, assuming a fully-burdened cost per hour of labour at $150, I get $2.25 million. This does not include lost productivity for partners and lawyers who were unable to work, or who had to find workarounds during the post-attack weeks. There is no doubt that this cost of lost productivity was many, many times the cost of the IT team.

Overall, a very costly experience for DLA Piper. Good to see that various mitigations are being put in place to ensure this never happens again to the same extent.

One thought on “Recovering from NotPetya – the DLA Piper Story

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.