On 27 June 2017, just weeks after the world was still recovering from the chaos of WannaCry, another cyber incident began unfolding.
At first, it looked familiar.
Computers across Ukraine suddenly rebooted and displayed a message informing users that their files had been encrypted. A ransom demand appeared, asking victims to pay $300 in Bitcoin to recover their data.
But something about this attack felt different.
Banks, airports, government offices, and power companies in Ukraine began reporting outages. Within hours, the malware had jumped borders, spreading into corporate networks across Europe, the United States, and beyond.
Major companies suddenly found their systems unusable.
Global shipping operations stopped. Pharmaceutical production halted. Corporate networks went dark.
What appeared to be another ransomware outbreak would soon be revealed as something far more destructive.
The attack would later become known as NotPetya.
Ground Zero: Ukraine
The first confirmed infections appeared on June 27, 2017, heavily concentrated in Ukraine. Government ministries, banks, the Kyiv Metro, and even radiation monitoring systems at the Chernobyl nuclear site were affected.
Investigators quickly discovered the likely starting point: a compromise of M.E.Doc, a Ukrainian tax accounting software used by a huge proportion of businesses across the country.
Attackers had infiltrated the software’s update system. Instead of delivering legitimate updates, the system distributed malware directly to thousands of organizations.
This method is known as a supply chain attack—where attackers compromise trusted software or services in order to infect many victims at once.
And in this case, it worked.
Within hours, the malware began spreading far beyond Ukraine.
How the Malware Spread
NotPetya was designed to move quickly.
Once inside a network, it spread using multiple techniques. One of the most powerful was EternalBlue, the same exploit used in the WannaCry attack just weeks earlier.
EternalBlue targeted a vulnerability in the Windows Server Message Block (SMB) protocol, allowing attackers to move between machines on a network.
But NotPetya didn’t stop there.
It also stole administrator credentials and used legitimate Windows tools like PsExec and Windows Management Instrumentation (WMI) to move laterally across networks.
This meant that once a single computer was infected, the malware could rapidly spread through an organization’s entire infrastructure.
The effect was devastating.
Entire corporate networks could collapse in minutes.
The Ransom That Was Never Meant to Be Paid
Like traditional ransomware, NotPetya displayed a message demanding payment for a decryption key.
But cybersecurity researchers soon noticed something strange.
The mechanism required for victims to recover their files simply didn’t exist.
The email address used for payment verification was quickly shut down, leaving victims with no way to communicate with the attackers.
More importantly, analysis revealed that the malware permanently destroyed key parts of the hard drive, including the master boot record.
Even if victims paid the ransom, their files could not be restored.
NotPetya wasn’t ransomware at all.
It was wiper malware—designed to destroy systems rather than generate profit.
Global Damage
While Ukraine was the primary target, the attack quickly spread across international networks.
Some of the most notable victims included:
- Maersk, the world’s largest shipping company
- Merck, the pharmaceutical giant
- FedEx subsidiary TNT Express
- Saint-Gobain, a major manufacturing company
- Mondelez International, the food manufacturer
For companies like Maersk, the damage was enormous.
The attack wiped out approximately 45,000 computers and 4,000 servers, forcing the company to rebuild its IT infrastructure almost from scratch.
Maersk alone reportedly lost around $300 million due to the disruption.
Across all affected organizations, the estimated global cost of the attack reached more than $10 billion, making it one of the most destructive cyber attacks ever recorded.
Who Was Responsible?
Attribution in cyber warfare is rarely straightforward.
However, intelligence agencies from the United States, United Kingdom, and several other governments later attributed the attack to Russia’s military cyber unit, widely believed to be part of the GRU and associated with a hacking group known as Sandworm.
The attack was likely intended to disrupt Ukrainian infrastructure amid ongoing geopolitical tensions between Russia and Ukraine.
But once released, the malware spread far beyond its intended targets.
Companies around the world became collateral damage.
Lessons from NotPetya
The NotPetya attack changed how governments and businesses think about cybersecurity.
Several key lessons emerged.
1. Supply chain attacks are extremely powerful
Compromising trusted software can allow attackers to reach thousands of victims at once.
This method has since been used in several other major cyber incidents.
2. Cyber weapons can escape their intended targets
NotPetya was likely designed to target Ukraine, yet its damage spread globally.
In a connected digital world, cyber weapons rarely stay contained.
3. Ransomware isn’t always about money
NotPetya showed that malware can disguise itself as ransomware while actually serving a geopolitical purpose.
4. Resilience matters as much as prevention
Organizations with strong backups and recovery plans were able to recover faster. Those without them often faced catastrophic disruption.
A New Era of Cyber Conflict
The NotPetya attack blurred the line between cybercrime and cyber warfare.
It demonstrated that a piece of malicious code could cause billions of dollars in damage, disrupt global supply chains, and impact companies that had nothing to do with the original target.
Perhaps most importantly, it showed that cyber conflict no longer stays within national borders.
In the digital world, a cyber weapon released in one country can ripple across the entire global economy.
And once it’s out there, there may be no way to call it back.
Sources & Further Reading
- Wikipedia – 2017 Ukraine ransomware attacks
https://en.wikipedia.org/wiki/2017_Ukraine_ransomware_attacks - Wikipedia – Petya malware family and NotPetya impact
https://en.wikipedia.org/wiki/Petya_(malware_family) - LRQA – NotPetya attack overview
https://www.lrqa.com/en/insights/articles/notpetya-ransomware-attack-on-maersk-key-learnings/ - CyberRanges – Global damage estimates
https://cyberranges.com/how-did-notpetya-cost-businesses-over-10-billion-in-damages/ - Wired – The Untold Story of NotPetya
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world - Secureworks – NotPetya campaign analysis
https://www.secureworks.com/blog/notpetya-campaign-what-we-know-about-the-latest-global-ransomware-attack
Chronicles of Compromise 
Leave a comment