NotPetya — Ukrainian-targeted destructive wiper
A destructive wiper disguised as ransomware spread via a poisoned Ukrainian M.E.Doc tax software update, propagated through EternalBlue and credential theft, causing $10B+ globally.
- Target
- NotPetya — Ukrainian-targeted destructive wiper
- Date public
- 27 June 2017
- Sector
- Government
- Attack type
- Nation State
- Threat actor
- Sandworm / GRU Unit 74455 (Russian military intelligence)
- Severity
- Critical
- Region
- Global — originating in Ukraine
In June 2017 Russian military hackers released a destructive piece of malware against Ukraine that pretended to be ransomware. It demanded $300 in Bitcoin to decrypt files. There was no decryption key — the encryption was mathematically irreversible. The malware was a destructive weapon disguised as a criminal tool. It spread far beyond Ukraine to any company with operations in the country: Maersk, the world's largest shipping firm, lost its global IT estate and rebuilt 4,000 servers and 45,000 computers from a single surviving backup in Ghana that had been offline due to a power outage. Total damage was estimated at more than $10 billion, making NotPetya the most economically destructive cyber-attack in history.
On 27 June 2017 a destructive piece of malware that masqueraded as ransomware swept through Ukrainian organisations and then propagated globally to any organisation with even a tangential operational link to Ukraine. The initial infection vector was a poisoned auto-update to M.E.Doc, a Ukrainian tax-accounting application that was effectively mandatory for businesses operating in the country. From the M.E.Doc update server, the malware — dubbed NotPetya because it borrowed the visual presentation of the Petya ransomware family — used a combination of the EternalBlue SMB exploit (the same NSA-leaked tool used in WannaCry six weeks earlier), credential theft via Mimikatz, and PsExec to spread laterally on internal networks at remarkable speed.
NotPetya presented itself as ransomware demanding $300 in Bitcoin for a decryption key. The decryption key did not exist. The malware encrypted master file tables and master boot records in a way that was mathematically irreversible, even by its creators. The “ransom” function was a deception to obscure the actor’s strategic intent, which was to inflict destructive damage at scale on Ukrainian critical infrastructure and any business whose systems touched it.
The collateral damage to global enterprises with operations in Ukraine was unprecedented. Maersk, the world’s largest container shipping company, lost its global IT infrastructure and was forced to rebuild approximately 4,000 servers and 45,000 PCs from a single surviving Active Directory server in Ghana that had been offline due to a power outage during the spread. Reckitt Benckiser, FedEx (TNT Express subsidiary), Mondelez, Merck, WPP, Beiersdorf, Saint-Gobain and many others suffered week-long operational outages. The total cost was estimated by various national agencies and academic studies at more than $10 billion, making NotPetya the most economically damaging single cyber incident in history.
In October 2020 the US Department of Justice indicted six officers of GRU Unit 74455 — the unit known as Sandworm — for the NotPetya operation, the 2018 Olympic Destroyer attack, the BlackEnergy attacks against the Ukrainian power grid, and the Macron campaign hack-and-leak. Russian responsibility had previously been attributed publicly by the US, UK, Canada, Australia, New Zealand and Ukraine.
Defender takeaway: NotPetya is the case study for “lateral movement at machine speed”. Once the malware reached one host with administrator credentials, it was on every reachable host with a writable share within minutes. The SMB segmentation, the application of MS17-010, the disabling of LLMNR and NetBIOS-NS, and the privilege-tier separation that would have slowed it dramatically were all available controls in 2017. The wider lesson — repeatedly relearned through the WannaCry, NotPetya and Sandworm-driven attacks of 2017 — is that the boundary between “Ukrainian targeting” and “global enterprise impact” is whatever shared software, shared network, or shared identity infrastructure exists between the two. NotPetya is the original argument for treating supply-chain dependencies on regional software vendors as a strategic risk, not just an operational one.
Controls that would have helped
Defender controls catalogued in the Controls Desk that would have changed the outcome of this incident, or limited its blast radius. Sourced from regulator and framework guidance — never vendors.
- Workload-based segmentation so a single intrusion can't spread laterally A flat workload network is one bad day from a NotPetya. Workload-level policy enforcement — identity-aware, application-aware — is the single biggest blast-radius limit in the catalogue.
- Application allowlisting on high-value endpoints On a server, on a privileged-access workstation, on a SCADA controller, the answer to 'what should run here' is finite, knowable and short. Allowlist it. Block everything else.
- Block Office macros from any document originating outside the organisation VBA macros in inbound Office documents have been the preferred ransomware delivery vehicle for a decade. Microsoft now blocks them by default. Reverse the default at your peril.
- Disable LLMNR, NetBIOS-NS and mDNS on Windows networks Three legacy name-resolution protocols on Windows let any attacker on the LAN poison hostname lookups and harvest hashes from any user that mistypes a server name. Disable them.
- Protective DNS — block command-and-control and known-bad domains at the resolver Almost every modern intrusion phones home over DNS. A protective resolver that blocks known-bad domains breaks the chain after initial access, often before the operator notices.
- Active Directory tier-0 hardening — protected accounts, no SPNs on privileged users, monitored sensitive groups AD remains the highest-blast-radius identity tier in most enterprises. A small set of hardening configurations turns the most reliable lateral-movement playbooks into observable, blockable failures.