Malware & Spywarecritical

NotPetya: $10 Billion in Damages from a Wiper Disguised as Ransomware

What appeared to be ransomware was actually a Russian military-grade wiper deployed via a poisoned Ukrainian accounting software update. NotPetya caused $10 billion in damages and was the most costly cyber attack in history.

M.E.Doc / Global Enterprises·2017·2 min read

Background

NotPetya was deployed through M.E.Doc, a Ukrainian accounting software package used by virtually all companies operating in Ukraine. Russia's military intelligence unit Sandworm had compromised M.E.Doc's update mechanism months earlier. On June 27, 2017, they pushed the payload.

The Attack

NotPetya spread in three phases: initial infection via the M.E.Doc update, lateral movement using the NSA's EternalBlue exploit (leaked from the NSA six weeks earlier) and Mimikatz credential dumping, and final payload execution. Unlike real ransomware, NotPetya's encryption key was not actually stored anywhere — it was designed to be unrecoverable. The malware destroyed the MBR and encrypted files with no decryption path. It spread with extraordinary speed through enterprise networks using Windows file sharing. Shipping giant Maersk lost its entire global IT infrastructure in 90 minutes.

Response

Maersk rebuilt its entire global IT infrastructure — 45,000 PCs, 4,000 servers, 2,500 applications — in 10 days using a single surviving domain controller found in Ghana that had been offline due to a power cut. Merck, FedEx, Mondelez, Reckitt Benckiser and dozens of other multinationals also suffered massive outages.

Outcome

Total damages were estimated at $10 billion — the costliest cyber attack in history. The US, UK, EU, and Australia publicly attributed NotPetya to Russia's GRU. Insurance companies argued "acts of war" exclusions applied to NotPetya claims, triggering landmark litigation (Mondelez v Zurich) that is still shaping cyber insurance policy.

Key Takeaways

  1. Software update mechanisms are high-value supply chain attack vectors requiring integrity verification
  2. Offline, isolated backups are the only guarantee against destructive wiper attacks
  3. EternalBlue remains dangerous — SMBv1 should be disabled across all enterprise networks
  4. Cyber war attribution and insurance coverage are deeply unsettled legal questions
wipersupply chainEternalBlueRussiaSandworm

More in Malware & Spyware

2021critical

Pegasus Spyware: NSO Group's Commercial Tool Used Against Journalists and Dissidents

2 min readMalware & Spyware
2021critical

Emotet: The World's Most Dangerous Malware Takedown

2 min readMalware & Spyware
2001critical

Code Red Worm Infects 359,000 Servers in 14 Hours

2 min readMalware & Spyware