On June 27, 2017, a software update was pushed to users of M.E.Doc, a tax and accounting application required by most businesses operating in Ukraine. Within hours, organizations across the globe were watching their entire IT infrastructures go dark. NotPetya — disguised as ransomware but designed purely for destruction — would become the most costly cyberattack in recorded history.
A ransomware mask over a wiper
NotPetya presented victims with a ransom note and a Bitcoin payment address, mimicking the behavior of the Petya ransomware family. But this was deception. Unlike actual ransomware, NotPetya’s encryption was irreversible by design. The encryption key was randomly generated per machine and never transmitted to the attackers. There was no decryption mechanism. The ransom note was a cover story for a weapon.
NotPetya was attributed to the Russian GRU (Sandworm/Unit 74455) and is widely regarded as a destructive cyber weapon targeting Ukraine that caused massive collateral damage globally.
The malware leveraged the EternalBlue and EternalRomance exploits (leaked from the NSA by the Shadow Brokers), combined with Mimikatz-style credential harvesting and lateral movement via WMI and PsExec. Once inside a network, it spread with devastating speed.
Global collateral damage
NotPetya was aimed at Ukraine, but supply chain interconnections turned it into a global catastrophe. Any organization with a connection to a Ukrainian subsidiary, partner, or vendor was at risk.
NotPetya demonstrated that in an interconnected world, a cyber weapon aimed at one country can cause catastrophic damage to organizations that have no involvement in the underlying conflict.
The damage reports were staggering:
- Maersk (global shipping): 49,000 laptops and 3,500 servers destroyed. The company rebuilt its entire IT infrastructure in 10 days. Cost: $300M+
- Merck (pharmaceutical): $870M in damages. Production disrupted for months.
- FedEx/TNT Express: $400M in damages. Delivery network severely impacted.
- Mondelez, Reckitt Benckiser, Saint-Gobain: Hundreds of millions in combined losses
- Total global damage: Estimated at $10 billion+
Maersk’s recovery was only possible because a single domain controller in Ghana had been offline during the attack due to a power outage, preserving one copy of their Active Directory. Without that stroke of luck, recovery would have been significantly more difficult.
Lessons from the wreckage
NotPetya forced organizations to confront scenarios they had never planned for — total infrastructure loss from a single event. Key takeaways:
- Supply chain compromise can achieve global reach through a single regional software vendor
- Destructive malware can masquerade as ransomware — paying the ransom would have accomplished nothing
- Business continuity planning must account for total infrastructure loss, not just partial outages
- Network segmentation limits blast radius — flat networks allowed NotPetya to spread unchecked
- Offline backups are critical — any backup accessible from the network is vulnerable to the same attack
Want to dig deeper? Explore the project repository for detailed analysis of NotPetya and other major supply chain incidents.
