Maersk: up-to-date antivirus “not effective” against Petya

Danish logistics giant Maersk has installed new security systems after confirming that up-to-date Windows and antivirus were not effective against the June Petya ransomware attack. 

“This virus attack was a previously unseen type of malware, and updates and patches applied to both the Windows systems and our antivirus were not an effective protection in this particular case,” the company said in an update Thursday. 

The statement suggests Maersk had applied the security update MS17-010 to patch against the infamous SMB file-sharing exploit that was leaked by the Shadow Brokers in April and subsequently used in WannaCry and Petya. 

For confidentiality reason Maersk said it cannot reveal exactly what new security systems it has put in place. However, after a full post-mortem, the company has offered to share lessons from the incident with customers and partners. 

Maersk has not confirmed its network became infected through a poisoned update from the M.E.Docs software, an accounting package require for firms that do business in Ukraine. It has however previously advertised a finance role in the Ukraine that required familiarity with M.E.Docs software.       

FedEx earlier this week confirmed the initial infection at its subsidiary TNT Express was M.E.Docs. It was unable to say when certain systems will be fully restored and predicted a material impact on its finances. It was also uninsured for such an attack. 

Microsoft found that Petya featured several techniques allowing to compromise a network after infecting just one machine on the network. This included several legitimate penetration testers tools it used to spread across networks, in addition to using the SMB flaw. Microsoft said most infections occurred on Windows 7 systems and claimed that Windows 10's in-built defenses either blocked or mitigated each of the techniques.      

Maersk was one of the first to confirm it was significantly affected by a virus during the Petya ransomware outbreak on June 27. 

It is still working on recovery efforts and returning to “normal customer service levels” after the attack. The company has provided regular global and regional updates to inform customers as it recovers key systems disrupted by the attack. 

Over the past month it has restored customer service phone lines, online track and trace services, booking services, systems for sharing shipping rates, and more. It also shut its job applications system down due to the attack.