On June 27, 2017, employees at companies around the world watched their computers suddenly display a ransom message. Pay $300 in Bitcoin, the message said, and your files would be decrypted. It looked like another ransomware outbreak, coming just a month after WannaCry had made global headlines.
But something was different this time. People who paid the ransom didn't get their files back. There was no way to get their files back. What looked like ransomware was actually something far more sinister: a weapon designed purely for destruction.
NotPetya would become the most costly cyberattack in history, causing over $10 billion in damages. It crippled shipping giant Maersk, pharmaceutical company Merck, food conglomerate Mondelez, and delivery company FedEx. It shut down ports, factories, and hospitals. And it all started in Ukraine.
The Attack Vector
NotPetya spread through a supply chain attack—one of the most insidious forms of cyber intrusion. The attackers didn't try to break into targets directly. Instead, they compromised M.E.Doc, a Ukrainian accounting software used by businesses to file taxes. M.E.Doc was so widely used in Ukraine that it was practically required software for doing business there.
The attackers hacked M.E.Doc's update servers and inserted malicious code into a routine software update. When companies updated their accounting software—a normal, recommended security practice—they unwittingly installed NotPetya on their networks.
This is what makes supply chain attacks so devastating: they turn trusted software into a weapon. Users weren't clicking suspicious links or opening malicious attachments. They were following best practices by keeping their software updated. And that's precisely what infected them.
Spreading Like Wildfire
Once inside a network, NotPetya spread with terrifying speed. It used multiple propagation methods:
- EternalBlue: The same NSA-developed exploit that WannaCry had used just a month earlier. Microsoft had released a patch, but many systems remained vulnerable.
- Credential theft: NotPetya used a tool called Mimikatz to steal passwords from computer memory, then used those credentials to access other machines on the network.
- Legitimate admin tools: The malware used Windows' own administrative tools (PsExec and WMIC) to spread—tools that security software often trusts.
This multi-pronged approach meant that NotPetya could spread even on networks where some machines were patched. If it could compromise one unpatched machine or steal one set of credentials, it could potentially reach the rest of the network.
Within two hours, NotPetya had infected organizations on six continents.
The Destruction
The victims weren't just Ukrainian companies. Any global organization with a presence in Ukraine—and that included many of the world's largest corporations—was at risk.
Maersk: The Danish shipping giant—responsible for nearly 20% of global shipping capacity—was devastated. All 130 offices went offline simultaneously. The company couldn't book shipments. Ships couldn't unload because port systems were down. Maersk ultimately had to reinstall 4,000 servers and 45,000 PCs. They only survived because one domain controller in Ghana happened to be offline during the attack, preserving a clean copy of their Active Directory. Estimated cost: $300+ million.
Merck: The pharmaceutical giant saw production facilities shut down across the globe. Their losses exceeded $870 million—including $400 million in sales of their HPV vaccine Gardasil that couldn't be produced. The US had to borrow from the EU's emergency supply.
FedEx/TNT: The shipping company's European subsidiary TNT Express was hit hard. Losses exceeded $400 million, and the company had to essentially rebuild its IT infrastructure from scratch.
Mondelez: The food company behind Cadbury, Oreo, and Nabisco reported $100+ million in losses. Production facilities worldwide went offline.
Ukraine: The primary target suffered most. Banks, power companies, government agencies, airports, metro systems—critical infrastructure across the country was crippled.
Not Really Ransomware
The ransom message was a lie. NotPetya encrypted files and displayed a Bitcoin address, but:
- The decryption was broken by design. The malware generated random encryption keys but didn't properly save them. Even if you paid, there was no way to recover the keys needed to decrypt your files.
- The email address was immediately shut down. The contact email for "customer service" was blocked within hours, making communication with the attackers impossible.
- Only one Bitcoin wallet was used. Real ransomware operations use unique wallets for each victim to track payments. NotPetya used a single wallet, making it impossible to know who had paid.
The ransomware facade was just cover. NotPetya was a wiper—malware designed to destroy data permanently. The ransom message gave victims false hope and bought the attackers time while organizations tried to figure out what was happening.
State-Sponsored Attack
In February 2018, the US, UK, Australia, and other nations formally attributed NotPetya to Russia's military intelligence agency, the GRU. The attack was part of Russia's ongoing cyber campaign against Ukraine, which had been escalating since 2014.
This attribution matters because it reveals NotPetya's true purpose. This wasn't cybercrime—criminals want money, and NotPetya's broken decryption meant no one was getting paid. It was cyberwarfare, designed to cause maximum disruption to Ukraine and, as collateral damage, to global companies doing business there.
The multinational corporations that suffered billions in losses were caught in the crossfire of a geopolitical conflict. Their presence in Ukraine made them targets, whether or not they were the intended victims.
The Lessons
NotPetya taught the world several painful lessons about cybersecurity:
Patch or Perish
NotPetya used EternalBlue, the same vulnerability that WannaCry had exploited one month earlier. Microsoft had released a patch months before. Organizations that hadn't patched were vulnerable to both attacks.
If your systems are unpatched against a known, actively-exploited vulnerability, you're gambling with your business.
Online Backups Aren't Enough
Many organizations had backups. But those backups were on network-attached storage that NotPetya encrypted too. Cloud backups connected to the network were also compromised. Only offline, air-gapped backups survived.
The 3-2-1 backup rule—three copies, two different media types, one offsite—needs an addition: at least one copy should be completely offline, disconnected from any network.
Supply Chain Attacks Are Deadly
The attack came through trusted software doing a trusted operation (updating itself). Traditional security advice—don't click suspicious links, don't open unknown attachments—doesn't help when the threat comes from software you're supposed to trust.
Organizations need to think carefully about their software dependencies and the security practices of their vendors.
Network Segmentation Saves You
Once inside, NotPetya spread laterally across networks. Organizations with proper network segmentation—where different parts of the network are isolated from each other—contained the damage. Those without segmentation watched the infection spread everywhere.
Geopolitical Risk Is Cyber Risk
If you do business in or with a country involved in geopolitical conflict, you may become collateral damage in cyberattacks you had nothing to do with. This isn't a reason to avoid international business, but it's a reason to factor geopolitical risk into your cybersecurity planning.
Applying This to Your Business
Even if you're not a shipping giant or pharmaceutical company, NotPetya's lessons apply:
- Keep systems patched. Don't wait weeks or months. Known vulnerabilities get exploited quickly.
- Maintain offline backups. At least one copy of your critical data should be completely disconnected from your network.
- Test backup restoration. Maersk survived because of one offline domain controller. Know that your backups work before you desperately need them.
- Segment your network. Limit how far an attacker can move if they get in.
- Vet your vendors' security. The software you trust could become the attack vector.
The Bottom Line
NotPetya proved that cyberattacks can cause physical-world devastation on a global scale. A software update in Ukraine led to ships stranded in ports, medicine not produced, and billions of dollars in losses across multiple continents.
The attack also demonstrated a troubling new reality: you can do everything right—avoid phishing, use strong passwords, keep software updated—and still get compromised through your software supply chain. Security in the modern age requires not just protecting your own systems, but understanding and managing the risks that come through every connection to the outside world.
$10 billion in damages. The most costly cyberattack in history. And it looked like just another software update.
