NotPetya Lessons: Why Air-Gapped Backups Matter

May 18, 2026
Shannon Lewis

Maersk lost 45,000 PCs and 4,000 servers in seven minutes. NotPetya didn't just destroy production systems. It wiped the backups too, because they were on the same network attackers already controlled.

That single design flaw turned a recoverable incident into a near-total collapse. Recovery depended on luck: a domain controller that survived only because a power outage in Ghana took it offline before the wiper reached it.

Most disaster recovery plans assume backups will be there when needed. NotPetya proved otherwise.

Why This Matters Now

NotPetya spread through a compromised software update in Ukrainian accounting software, then used EternalBlue to move laterally across networks. It overwrote the master boot record, making infected systems unbootable. Total global damage exceeded $10 billion.

What made NotPetya different from typical ransomware was intent. It wasn't designed to extort. It was designed to destroy. Even paying a ransom wouldn't restore systems, because the malware didn't preserve decryption keys.

Attackers now routinely target backups before encrypting production data. If your backup infrastructure sits on the same network as your workstations and servers, it's accessible to the same exploits that compromise everything else.

Traditional backup strategies were built for hardware failures and accidental deletions. They weren't designed to survive coordinated attacks that treat backups as the first target, not an afterthought.

Three Strategic Gaps Exposed

Backups Accessible from Compromised Networks

When backups are network-connected, attackers can reach them using the same lateral movement tools that spread malware across your environment. EternalBlue exploited unpatched Windows systems to move from one machine to the next, including backup servers.

  • Recovery depends on isolation that malware cannot bypass
  • Network segmentation alone doesn't stop exploits that traverse Active Directory trusts
  • Backup deletion or encryption becomes trivial once attackers gain domain admin privileges
  • Most teams discover this gap only after attempting a restore during an active incident

Backups That Can Be Modified or Deleted

Wiper malware doesn't just encrypt data. It corrupts or deletes backups silently, often days before the main attack. By the time teams notice, every available restore point has been compromised.

  • Immutable backups prevent modification after creation, even by privileged accounts
  • Without immutability, attackers can corrupt backup chains while leaving metadata intact
  • Silent corruption means validation failures appear only during recovery attempts
  • Retention policies become irrelevant if attackers can delete all snapshots before triggering the main payload

Untested Recovery Under Attack Conditions

Active Directory recovery is complex under normal conditions. Under attack, when domain controllers are destroyed and authentication fails, most documented procedures break down immediately.

  • Recovery readiness assessments reveal whether restores work when DNS, authentication, and directory services are unavailable
  • Testing against realistic scenarios exposes dependencies that aren't obvious in runbooks
  • Many teams assume backups are valid without verifying forest recovery paths or application dependencies
  • Pressure during an incident amplifies every undocumented step and untested assumption

The Strategic Shift Required

Survival depends on backups that exist outside the attack surface. Air-gapped backups are physically or logically isolated from production networks, making them unreachable through lateral movement or credential compromise.

Immutable backups add a second layer: once written, they cannot be altered or deleted, even by administrators. This prevents attackers from silently corrupting restore points before launching the main attack.

Recovery readiness assessments identify gaps before an incident. They validate that backups can be restored when core infrastructure like Active Directory, DNS, and authentication services are unavailable.

  • Shift from assuming backups work to proving they work under attack conditions
  • Treat backup isolation as a security control, not a convenience feature
  • Test recovery paths that bypass dependencies on systems attackers will destroy first
  • Build runbooks that account for total domain compromise, not just partial outages

How RecoveryManager Plus Addresses This

RecoveryManager Plus is designed for Active Directory environments where recovery speed and isolation determine survival. It addresses the gaps NotPetya exposed by separating backup storage from production networks and preventing modification of existing snapshots.

  • Backups Accessible from Compromised Networks: Air-gapped backups isolate recovery data from networks attackers control, ensuring restore points remain intact even during active lateral movement.
  • Backups That Can Be Modified or Deleted: Immutable backups prevent attackers from silently corrupting or deleting snapshots, preserving recovery options even if domain admin credentials are compromised.
  • Untested Recovery Under Attack Conditions: Recovery readiness assessments validate that Active Directory restores work when authentication, DNS, and domain services are unavailable, exposing gaps before an incident.

Who This Is For

  • IT managers responsible for disaster recovery planning in Active Directory environments
  • Sysadmins managing backup infrastructure and testing recovery procedures
  • Disaster recovery specialists validating readiness against wiper and ransomware scenarios
  • Security engineers assessing whether backups survive network compromise

Call to Action

Test whether your backups survive the attacks they're supposed to protect against. Visit https://manageengine.optrics.com/recoverymanager-plus.html

FAQ

What made NotPetya different from typical ransomware?
NotPetya was a wiper, not ransomware. It overwrote the master boot record and didn't preserve decryption keys, making recovery impossible even if a ransom was paid. It spread via a compromised software update and used EternalBlue for lateral movement.

Why do air-gapped backups matter for Active Directory recovery?
Air-gapped backups are isolated from production networks, so attackers cannot reach them through lateral movement or credential compromise. When domain controllers are destroyed and authentication fails, air-gapped snapshots remain intact and accessible for recovery.

How do immutable backups prevent silent corruption?
Immutable backups cannot be modified or deleted after creation, even by privileged accounts. This prevents attackers from corrupting restore points days before launching the main attack, a common tactic in wiper and ransomware campaigns.

What does a recovery readiness assessment validate?
It validates that Active Directory restores work when core infrastructure like DNS, authentication, and domain services are unavailable. It exposes dependencies, untested procedures, and gaps that only appear under attack conditions, not during routine backup tests.


Optrics Logo white shadow
Optrics is an engineering firm with certified IT staff specializing in network-specific software and hardware solutions.
Visit our FacebookVisit our InstagramVisit our TwitterVisit our LinkedInVisit our YouTube channel

Contact Information

6810 - 104 Street NW
Edmonton, AB, T6H 2L6
Canada
Google Plus Code GG32+VP
Direct Dial: 780.430.6240
Toll Free: 877.430.6240
Fax: 780.432.5630
Copyright 2025 © Optrics Inc. all rights reserved. 
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram