NotPetya: The Most Devastating Cyberattack
By Tibor Moes / Updated: September 2024
NotPetya
On June 27, 2017, at exactly 5:00 PM, Ukraine broke into chaos. ATMs stopped working, subway card readers went offline, and the digital backbone of the country—its banks, businesses, and government systems—collapsed.
The cause? A mysterious malware that infected computers, locking up their data and demanding 275 euros in Bitcoin to set it free.
But what began as a targeted strike on Ukraine spiraled into a global catastrophe.
This is the story of the most devastating cyberattack in history.
This is … NotPetya.
How it started
In the industrial zone of Kiev, hidden away in a small family-run software company called Linkos Group, a modest server room quietly managed routine updates for M.E.Doc, Ukraine’s leading software, similar to TurboTax. But the day before Ukraine’s Constitution Day, something went terribly wrong.
Oleksii Yasinsky, head of the cyber lab at Information Systems Security Partners, received a frantic call from Oschadbank, one of Ukraine’s largest banks. Their IT systems were under attack. At first, it seemed like typical ransomware, but when Yasinsky arrived, he found something far worse. Ninety percent of the bank’s computers were frozen with a chilling ransom message.
As similar reports flooded in from across Ukraine, the situation became dire. Businesses, government agencies, and critical infrastructure were all hit. People worried about their money, their jobs, and their daily needs.
But the chaos didn’t stop at Ukraine’s borders. In Odessa, a finance executive at Maersk, the world’s largest shipping company, unknowingly triggered a global catastrophe by installing M.E.Doc on a single computer. That one act allowed NotPetya to infiltrate Maersk’s entire IT infrastructure, bringing 574 offices in 130 countries to their knees. Ships were stranded, ports were paralyzed, and billions of dollars in global trade thrown into chaos.
But how did this malware create such havoc? The answer is chilling: it wasn’t ransomware at all. It was something far more sinister.
What is NotPetya?
The name might sound familiar because it resembles Petya, a ransomware that surfaced in early 2016, demanding payment to unlock victims’ files. But NotPetya was different—much more dangerous.
Disguised as ransomware, NotPetya was actually a destructive worm, a type of malware that spreads on its own, infecting more systems as it goes. It didn’t just stay in Ukraine; it spread worldwide, hitting places like hospitals in Pennsylvania and even a chocolate factory in Tasmania.
The attack had three malicious components:
1. Infiltration with Mimikatz
Picture a burglar sneaking into an office and going through desks to find keys. That’s what Mimikatz did for NotPetya. After getting into a computer—thanks to the compromised M.E.Doc update—Mimikatz searched for usernames and passwords. In networks where computers were connected, it could find credentials that unlocked access to other machines. With these digital “keys,” NotPetya spread within networks, infecting multiple systems.
2. Spread with EternalBlue
To hit as many targets as possible, NotPetya used a weapon called EternalBlue. Originally developed by the NSA, this tool exploited a hidden flaw in Windows computers—a kind of master key that opened countless doors. Although Microsoft had released a patch for this vulnerability in April 2017, many users hadn’t updated their systems. NotPetya exploited this, using EternalBlue to break into unpatched machines, spreading the worm at an alarming speed.
3. Destruction with Petya Encryption
Once NotPetya infiltrated and spread, it revealed its most destructive feature: the Petya encryption component. Imagine a vandal entering a library and scrambling all the books so they’re unreadable. NotPetya did something similar, encrypting the entire hard drive of infected computers, making all the data useless. After a reboot, victims saw a ransom note demanding Bitcoin to restore their files.
But here’s the catch: paying the ransom didn’t help. Unlike traditional ransomware, where paying might get your data back, NotPetya had no decryption key. Even if you paid the $300 in Bitcoin, your files were gone for good. It wasn’t designed to make money; it was designed to destroy.
Who was behind the attack?
But why did this happen at all? Who benefits from pure destruction?
NotPetya is the result of a war. In 2014, Russia illegally annexed Crimea, a Ukrainian peninsula, as part of its territory. Shortly afterward, a conflict broke out in eastern Ukraine, involving Russian-backed separatists. This conflict, which escalated dramatically in 2022 with Russia’s full-scale invasion, has resulted in tens of thousands of deaths and displaced millions. Since 2014, Ukraine has become a testing ground for Russian cyber warfare.
Nine months after NotPetya’s initial strike, the White House issued a stark statement: NotPetya was the work of the Russian military, specifically designed to cripple Ukraine. The attack wasn’t just about money or data—it was an act of war. Intelligence agencies from the US, UK, Canada, Australia, and New Zealand, known as the Five Eyes, all pointed the finger at Russia.
But who exactly launched this attack? The blame falls on a notorious hacking group known as Sandworm, linked to Russia’s military intelligence agency, the GRU. While another Kremlin-linked group, Fancy Bear, was hacking the US Democratic National Committee in 2016, Sandworm was unleashing chaos in Ukraine. They infiltrated dozens of Ukrainian organizations, from media outlets to railway companies, planting destructive logic bombs.
Their attacks followed a chilling pattern. In the winters of 2015 and 2016, Sandworm caused widespread power outages in Ukraine—the first-ever confirmed blackouts caused by hackers.
Who was targeted?
While Ukraine was NotPetya’s primary target, its impact went far beyond the country’s borders. Any multinational company with M.E.Doc installed was hit hard. Major corporations like Maersk, pharmaceutical giant Merck, FedEx’s European branch TNT Express, French construction firm Saint-Gobain, food producer Mondelēz, and manufacturer Reckitt Benckiser all suffered huge losses, each costing hundreds of millions of dollars.
Surprisingly, NotPetya even hit targets within Russia. Companies like the state oil firm Rosneft, steelmaker EVRAZ, and medical tech firm In Vitro were all affected, proving that this digital weapon didn’t discriminate.
What were the impacts?
So, how big was the damage, really?
In February 2018, the U.S. government called NotPetya “the most destructive and costly cyber-attack in history.” And for good reason. The attack hit over 2,300 organizations across more than 100 countries, with estimated losses of $10 billion. Tom Bossert, a former White House Homeland Security adviser, compared it to “using a nuclear bomb to achieve a small tactical victory.”
In Ukraine, the epicenter of the attack, NotPetya unleashed chaos on a national scale. In Kiev alone, four hospitals were impacted, and six power companies were affected. ATMs went dark, card payment systems failed, and the country’s transportation network ground to a halt. To sum it up, as Ukrainian former Minister of Infrastructure Volodymyr Omelyan bluntly stated: “The government was dead.”
The scale of the damage was staggering. According to the Information Systems Security Partners (ISSP), at least 300 companies were hit, and a senior Ukrainian official estimated that 10 percent of all computers in the country were wiped. Even the computers at the Chernobyl cleanup site, 60 miles north of Kiev, were shut down.
The attack was swift and brutal. A large Ukrainian bank’s network was taken down in just 45 seconds, and part of the country’s transit hub was fully infected in 16 seconds.
Current Developments
Since NotPetya, Russian cyber tactics have evolved, especially after the 2022 invasion of Ukraine. The GRU, Russia’s military intelligence, has its shifted focus from phishing to targeting “edge” devices like firewalls and routers. This new approach allows for faster and more persistent attacks. They’ve also integrated cyber and physical warfare, with coordinated cyberattacks and missile strikes causing blackouts in Ukrainian cities.
Russia’s cyberattacks have increasingly targeted civilian infrastructure, such as the 2024 attack that disabled heating in Lviv during winter. Meanwhile, Ukraine has intensified its cyber offensives, striking Russian banks, internet providers, and government sites to disrupt military logistics and gather intelligence.
So, what did NotPetya teach us?
NotPetya was a wake-up call. It showed us that malware knows no borders, spreading chaos globally in a heartbeat.
Companies like Maersk learned the hard way that it’s important to separate their networks better.
The attack also showed the dangers of using old software and not keeping systems updated.
Most importantly, it made clear that having strong backup plans is crucial to keep things running during a disaster. By sheer luck, one of Maersk’s backups in Ghana survived because the region experienced a power outage during the attack. Using this surviving domain controller, Maersk was able to rebuild its infrastructure.
But luck is not a strategy.
Conclusion
NotPetya was a turning point in the history of cyber warfare. What started as a targeted strike on Ukraine quickly became a global catastrophe, affecting thousands of companies and causing billions in damages. It exposed the vulnerabilities of our interconnected world and the destructive power of state-sponsored cyberattacks.
The attack was a harsh lesson: in today’s digital age, no one is safe from the reach of cyber warfare. As cyber threats continue to evolve, vigilance, preparation, and international cooperation are more critical than ever.
And the question now is: Are we ready for the next one?
Author: Tibor Moes
Founder & Chief Editor at SoftwareLab
Tibor has tested 28 antivirus programs and 25 VPN services, and holds a Cybersecurity Graduate Certificate from Stanford University.
He uses Norton to protect his devices, NordVPN for his privacy, and Proton for his passwords and email.