NotPetya: The Most Destructive Cyberattack in History

On the evening of June 27, 2017, employees at Maersk — the Danish shipping giant that moves roughly 17% of all global cargo — started watching their computers turn themselves off, one by one, across offices in 130 countries. The machines rebooted. A black screen appeared with a blinking cursor and a simple, terrifying message:

“Repairing file system on C:… This process may take several hours…”

Then came the ransom demand. A red and black screen instructing victims to pay $300 in Bitcoin.

Maersk’s IT staff immediately recognized this. It looked like Petya — a known strain of ransomware. They’d seen Petya before. Petya could be beaten. They began activating recovery procedures.

They didn’t know yet that the decryption key they were hoping to receive didn’t exist. That no one had ever built it. That the ransom screen was a lie, painted over a program whose only actual function was obliteration.

What was destroying Maersk’s network was not ransomware. It was a wiper — a weapon of digital arson — deployed with a precision and patience that pointed unmistakably to a single, state-level adversary with a specific target: Ukraine. The rest of the world was collateral.

Threat Actor Profile: Sandworm (GRU Unit 74455)

Designation: Sandworm (Mandiant); Voodoo Bear (CrowdStrike); TEMP.Noble; Unit 74455 (US DoJ designation); Seashell Blizzard (Microsoft) Attribution: Russian Federation Main Intelligence Directorate (GRU), specifically the Main Centre for Special Technologies — Unit 74455 — based at a GRU facility in Khimki, Russia Origin: Moscow, Russia; operating since at least 2009 Primary Mission: Destructive offensive cyber operations on behalf of the Russian state; strategic infrastructure attacks; information warfare; political destabilization Known Tradecraft: Wiper malware, industrial control system (ICS/SCADA) attacks, supply chain compromise, spear-phishing with zero-days, manipulation of Ukrainian critical infrastructure

Notorious Operations:

• BlackEnergy Ukraine Power Grid (December 2015): The first confirmed cyberattack to cause a power blackout. Sandworm cut power to approximately 230,000 customers across western Ukraine for up to 6 hours using BlackEnergy malware and custom destruction tools. A warning shot fired months before NotPetya.
• Industroyer / Crashoverride (December 2016): A second Ukrainian power grid attack using a modular malware platform engineered to communicate with industrial substation protocols. The most sophisticated ICS malware since Stuxnet.
• NotPetya (June 2017): The most destructive cyberattack in history by financial damage. Disguised as ransomware; functionally a wiper. $10 billion in global damages; Maersk, Merck, FedEx, and dozens of others.
• Olympic Destroyer (February 2018): A false-flag wiper targeting the 2018 Pyeongchang Winter Olympics, seeded with code resembling North Korean tools to confuse attribution. Eventually attributed to Sandworm.
• Whispergate (January 2022): Days before Russia’s full-scale military invasion of Ukraine, Sandworm deployed a wiper against Ukrainian government websites designed to mimic ransomware — a near-identical playbook to NotPetya, five years later.

The Setup: A Nation Under Siege Before the Worm

To understand NotPetya, you have to understand the context in which it was deployed. By mid-2017, Ukraine was already at war — not just militarily in the Donbas, but digitally.

Sandworm had been systematically attacking Ukrainian infrastructure for years. The 2015 and 2016 power grid attacks had demonstrated both the technical capability and the willingness to use it. Ukrainian government ministries, banks, media outlets, and transportation systems had been targeted repeatedly. The cyberattacks were not adjuncts to the war in eastern Ukraine — they were the war, conducted in a domain where international law was undefined and proportional response was impossible.

For the NotPetya operation, Sandworm found its perfect vector in an accounting software application called M.E.Doc — Medoc — a Ukrainian-developed tax reporting tool used by approximately 80% of Ukrainian businesses operating under local tax law. Every company doing business in Ukraine, domestic or foreign, was legally required to file VAT returns through M.E.Doc’s platform.

Sandworm had quietly compromised M.E.Doc’s software update infrastructure months before the attack. The backdoor they planted was elegant and patient: a modified DLL inside the legitimate update mechanism, capable of deploying arbitrary code to every machine running M.E.Doc the next time the software pulled an update. By late June 2017, the weapon was loaded and ready.

April 14 — the Shadow Brokers’ release of EternalBlue had given Sandworm something else: a self-propagating engine to turn a targeted supply chain attack into a global firestorm.

The Attack: Three Layers of Destruction

On June 27, 2017 — the eve of Ukraine’s Constitution Day national holiday — the update was pushed. The three-layer attack unfolded with mechanical precision.

Layer 1: Supply Chain Initial Access (M.E.Doc)

Every machine in Ukraine running M.E.Doc received what appeared to be a routine software update. Hidden inside was the NotPetya dropper. The initial infection pool was enormous — every Ukrainian business, bank, utility, and government agency using the software received the malware simultaneously.

Among the infected: the machines of multinational corporations with Ukraine offices — Maersk, Merck, Mondelez, FedEx’s TNT Express, Rosneft, WPP, and dozens of others. Their Ukrainian endpoints were patient zero for infections that would shortly destroy their entire global networks.

Layer 2: Credential Theft and Lateral Movement (Mimikatz)

NotPetya embedded a modified version of Mimikatz — a credential extraction tool originally developed by French security researcher Benjamin Delpy for legitimate research, now a standard weapon in offensive toolkits. Mimikatz scraped Windows credential caches, LSASS memory, and Active Directory data from infected machines, harvesting administrator passwords and hashed credentials.

Equipped with valid network credentials, NotPetya moved laterally through corporate networks with the legitimacy of an authorized administrator. It didn’t need to break down doors. It walked through them, with the keys it had just stolen.

For organizations where this lateral movement eventually led to a domain administrator account — and at global corporations with thousands of machines and flat network architectures, it often did — NotPetya could access every machine on the domain simultaneously.

Layer 3: EternalBlue Propagation

For machines without valid credentials, NotPetya fell back to the same weapon that had powered WannaCry six weeks earlier: EternalBlue and DoublePulsar. Any unpatched Windows machine reachable on port 445 was compromised automatically, regardless of credentials.

Unlike WannaCry, NotPetya contained no kill switch. The lateral credential-theft mechanism alone would have made it more dangerous than its predecessor; combined with EternalBlue’s remote exploitation capability, it was devastating.

The Payload: Destruction, Not Extortion

Here is where NotPetya revealed its true nature.

The ransomware screen was theater. Beneath the Bitcoin demand and the red-and-black aesthetic, NotPetya’s actual payload performed three destructive operations:

1. MBR Overwrite: NotPetya overwrote the Master Boot Record of the infected machine with a custom bootloader that displayed the fake ransom screen on restart. The original MBR was gone.

2. MFT Encryption: The Master File Table — the index that tells Windows where every file on the disk is located — was encrypted with a randomly generated key. Without the MFT, the operating system cannot locate any file on the drive. The encryption key was never saved anywhere and was never sent to the attackers. It was discarded immediately after generation. Recovery was impossible by design.

3. File Encryption: For additional destruction on systems where the MFT attack was insufficient, NotPetya encrypted individual files of targeted extensions using the same key-discard pattern.

The ransom demand asked victims to email a specific address for the decryption key. The email provider shut down the account within hours of the outbreak. No key was ever delivered. No key ever could have been delivered.

NotPetya was not ransomware. It was a weapon wearing ransomware’s clothes. The $300 Bitcoin demand was camouflage — designed to make the attack look like criminal extortion rather than state-sponsored warfare, complicating attribution and providing plausible deniability.

The Damage: Unprecedented

The corporate casualties were staggering.

Maersk suffered perhaps the single most dramatic documented corporate IT collapse. The company’s global network of 49,000 PCs, 3,500 servers, and 45,000 applications was destroyed. Port operations grinding to a halt meant ships were turned away from ports. Cargo sat uncollected globally. A company that moves 20 million shipping containers annually had lost its ability to process a single booking.

The recovery required the reinstallation of 45,000 PCs and 4,000 servers in ten days — a feat described by Maersk’s head of infrastructure as one of the most intense IT recovery operations in history. Critically, a single domain controller in Ghana — offline during the attack due to a power cut — was the only surviving copy of the company’s Active Directory. Without it, Maersk would have had no authenticated user database to rebuild from. A power outage in Africa saved a company headquartered in Denmark.

The final bill: ~$300 million for Maersk alone.

Other victims:

• Merck (pharmaceutical): ~$870 million in losses. Merck was so thoroughly destroyed that it could not fulfill contracts for vaccines; its cyber insurance provider initially attempted to deny the claim, arguing the attack constituted an “act of war.” The resulting litigation over insurance coverage took years to resolve.
• FedEx / TNT Express: ~$400 million. TNT operations were disrupted for weeks; some legacy systems were never fully restored.
• Mondelez International: ~$188 million.
• Reckitt Benckiser: ~$129 million. The consumer goods company could not manufacture or ship products for days.
• WPP (advertising): ~$15 million; significant operational disruption.
• Rosneft (Russian state oil company): Affected — demonstrating that Sandworm’s weapon escaped its targeting constraints and struck Russian targets alongside Ukrainian ones.

Total estimated global damage: $10 billion — the figure cited by the White House in its 2018 attribution statement, calling NotPetya “the most destructive and costly cyberattack in history.”

Attribution and Aftermath

Attribution to Sandworm / GRU Unit 74455 came through a convergence of technical and intelligence evidence:

Technical indicators: Code analysis revealed substantial similarities between NotPetya and prior Sandworm tools. The M.E.Doc compromise vector had Sandworm’s fingerprints — the same operational patience, the same infrastructure, the same targeting logic seen in the 2015 and 2016 Ukrainian power grid operations.

Intelligence evidence: Western intelligence agencies, including the NSA, UK GCHQ, and CIA, developed independent intelligence confirming GRU authorship. The timing — Constitution Day eve — was consistent with Sandworm’s history of timing attacks to Ukrainian national events.

In February 2018, the UK National Cyber Security Centre, the US FBI, CIA, and NSA publicly attributed NotPetya to the GRU. The White House followed with its own statement in February 2018. The EU, Australia, Canada, and New Zealand all issued coordinated statements attributing the attack to Russia.

In October 2020, the US Department of Justice indicted six GRU officers — all members of Unit 74455 — for their roles in NotPetya and other Sandworm operations. The indictment named specific individuals, described their roles, and provided unprecedented detail on the unit’s structure and methods. Russia denied involvement, as it always does.

The insurance industry consequence was equally significant. A string of disputes between affected corporations and their cyber insurers — who attempted to invoke war exclusion clauses to deny payouts — reshaped the entire cyber insurance market. The question of whether state-sponsored cyberattacks constitute “acts of war” under insurance law remains unresolved and bitterly contested in courts worldwide.

---

Attack Chain: NotPetya — Operation Armageddon

graph TD
    A["🇷🇺 Sandworm\n(GRU Unit 74455)"] --> B["Strategic Target: Ukraine\nConstitution Day Eve\nJune 27, 2017"]

    B --> C["Supply Chain Compromise\nM.E.Doc Accounting Software\n~80% of Ukrainian businesses\nuse this platform for tax filing"]

    C --> D["Backdoor Planted in\nM.E.Doc Update Infrastructure\nMonths of pre-positioning"]

    D --> E["June 27, 2017\nMalicious Update Pushed\nto All M.E.Doc Clients"]

    E --> F["Ukrainian Businesses, Banks,\nUtilities, Government Agencies\nAll Receive NotPetya Dropper"]
    E --> G["Multinational Corp Offices\nin Ukraine — Patient Zero\nMaersk, Merck, Mondelez,\nFedEx/TNT, WPP, Rosneft"]

    F --> H["NotPetya Execution"]
    G --> H

    H --> I["Layer 1: Mimikatz\nCredential Harvesting\nLSASS + Active Directory\nAdmin Passwords Stolen"]

    H --> J["Layer 2: EternalBlue\n(CVE-2017-0144)\nSMBv1 Remote Code Execution\nNo Credentials Needed"]

    I --> K["Lateral Movement\nas Authenticated Admin\nEntire Domain Reachable"]
    J --> K

    K --> L["NotPetya Payload"]
    L --> L1["MBR Overwrite\nBoot Record Destroyed\nFake Ransom Screen Installed"]
    L --> L2["MFT Encryption\nKey Discarded Immediately\nFile System Index Unrecoverable"]
    L --> L3["File Encryption\n(Backup Destruction)"]

    L1 --> M["Machine Reboots\nFake Ransom Demand Displayed\n'$300 Bitcoin'\n(No Key Exists — Never Did)"]

    L2 --> N["🔴 Permanent Data Destruction\nFiles Unrecoverable by Design"]
    L3 --> N

    G --> O["Lateral Spread via VPN\nand Network Links to\nGlobal Corporate Networks"]
    O --> P["49,000 Maersk PCs Destroyed\n3,500 Servers Wiped\n17% of Global Cargo Disrupted"]
    O --> Q["Merck Pharmaceutical\n$870M Loss\nVaccine Supply Disrupted"]
    O --> R["FedEx / TNT Express\n$400M Loss\nLegacy Systems Never Recovered"]
    O --> S["Mondelez International\n$188M Loss"]
    O --> T["Reckitt Benckiser\n$129M Loss"]

    P --> U["Single Ghana Domain Controller\n(Offline During Attack — Power Cut)\nOnly Surviving AD Copy\n🇬🇭 Saved Maersk"]

    N --> V["$10 Billion\nTotal Global Damage\n'Most Destructive Cyberattack\nin History' — White House"]

    V --> W["Attribution: GRU Unit 74455\nUK NCSC + US FBI/CIA/NSA\nFebruary 2018"]
    W --> X["DOJ Indictment: 6 GRU Officers\nOctober 2020"]

    V --> Y["Insurance War Exclusion Disputes\nMerck v. ACE American Insurance\nMondelez v. Zurich Insurance\nCyber Insurance Law Transformed"]