NotPetya is the attack that defined what state-deployed cyberweapons look like in practice. Not a data breach. Not espionage. Pure destruction, delivered at scale, through a supply chain that no one was watching, using stolen NSA tools that had been public knowledge for six weeks. It rewrote the insurance industry's understanding of what "act of war" means in a cyber context, exposed the catastrophic fragility of global logistics infrastructure, and demonstrated that a single compromised software update touching one country could detonate corporate IT environments on five continents before lunchtime.
Understanding NotPetya in full — its technical mechanics, its delivery mechanism, the organizations it destroyed, and the legal and strategic questions it forced open — is essential context for understanding every subsequent state-sponsored destructive cyberattack that has followed.
Not Ransomware: What NotPetya Actually Was
The first and most important fact about NotPetya is that it was never ransomware. It looked like ransomware. It displayed a ransom note demanding $300 in Bitcoin. It provided an email address for victims to contact after payment. But researchers examining the code within hours of the outbreak identified a critical structural difference from any ransomware designed to actually collect money: there was no functional decryption mechanism.
Genuine ransomware generates a unique encryption key per victim, stores it in a way that only the attacker can retrieve it after payment, and provides a decryptor when paid. NotPetya's encryption was deliberately structured to make that impossible. The encryption process overwrote the Master Boot Record (MBR) — the code that loads the operating system at startup — and encrypted the Master File Table (MFT), the NTFS filesystem index that tracks every file's name, size, and location on disk. Both operations were irreversible. Even if the attackers had wanted to decrypt a victim's system after payment, they lacked the technical means to do so. The decryption pathway simply did not exist.
CISA's technical analysis, published July 1, 2017, concluded directly: "Based on the encryption methods used, it appears unlikely that the files could be restored, even if the attacker received the victim's unique key and Bitcoin wallet ID." Kaspersky Lab named it "NotPetya" specifically to signal that despite surface similarities to the 2016 Petya ransomware family, this was a fundamentally different kind of malware. The more accurate classification is wiper — malware whose purpose is permanent data destruction, not extortion. The ransom demand was a misdirection designed to make the attack look like criminal activity rather than what it was: a military operation.
NotPetya is correctly classified as a wiper, not ransomware. The distinction matters operationally: organizations hit by ransomware face a decision about paying. Organizations hit by NotPetya faced only a recovery problem. No payment could restore their systems. The only path forward was rebuilding from clean backups — and for organizations that did not have offline backups isolated from the corporate network, there was no path at all.
The Delivery: M.E.Doc and the Supply Chain Entry
The vector that made NotPetya so catastrophically effective was its delivery mechanism. Rather than relying on phishing emails or exploiting publicly accessible vulnerabilities from the outside, Sandworm chose a supply chain attack that gave them simultaneous, silent access to an enormous number of Ukrainian corporate networks in a single operation.
M.E.Doc — short for "My Electronic Documents" — was Ukrainian tax accounting software developed by a small Kiev firm called Intellect Service. Under Ukrainian law, businesses filing taxes were required to use one of two government-approved software packages for submitting electronic returns. M.E.Doc was one of them. This legal mandate meant that an estimated 400,000 Ukrainian businesses — covering roughly 90% of domestic firms — were running M.E.Doc and receiving automatic software updates from Intellect Service's servers. Mikko Hyppönen of F-Secure described it as the de facto accounting platform for companies doing business in Ukraine.
Sandworm's first step was to compromise M.E.Doc's update servers. ESET's analysis found that a backdoor had been present in M.E.Doc's update system since at least May 15, 2017 — six weeks before the June 27 attack. Cisco Talos researchers found evidence of the backdoor's installation as early as April 2017. The backdoor was embedded in the legitimate software's updater process, meaning it ran silently on every machine that received M.E.Doc updates, with no indication to users or administrators that anything had changed.
On June 27, 2017 at approximately 10:30 AM Kyiv time, Sandworm activated the backdoor and pushed the NotPetya payload as part of what appeared to be a normal M.E.Doc software update. Every organization in Ukraine running M.E.Doc with auto-updates enabled received NotPetya as if it were a routine software patch. The initial delivery required no user interaction, no social engineering, no exploit of a vulnerable public-facing service. It arrived as trusted software from a trusted source, through a trusted update channel, with a valid digital signature.
"It looks like the software's automatic update system was compromised and used to download and run malware rather than updates for the software." — Marcus Hutchins, cybersecurity researcher, June 27, 2017
The Maersk connection illustrates the reach of this vector. Maersk is a Danish company with global operations. Its Ukrainian subsidiary had M.E.Doc installed on a single machine for local tax compliance. That one machine was enough. Once NotPetya executed on the Maersk Ukraine endpoint, it had access to the corporate network — and from there, Sandworm's propagation tools did the rest.
The Technical Mechanics: How NotPetya Spread and Destroyed
NotPetya's propagation capability was what transformed a targeted Ukrainian attack into a global catastrophe. The payload carried three independent lateral movement mechanisms, any one of which could spread the infection to additional machines on the same network. The combination made it extraordinarily difficult for any single defensive measure to contain it.
Stage 1: Credential harvesting with a modified Mimikatz
Upon initial execution, NotPetya ran a modified version of Mimikatz — a credential-harvesting tool originally created in 2011 by French security researcher Benjamin Delpy to demonstrate that Windows stored user credentials in memory after login. Windows cached NTLM password hashes and, in some configurations, cleartext passwords in the Local Security Authority Subsystem Service (lsass.exe) process. Mimikatz could extract these from memory without elevated user interaction, requiring only administrator rights on the compromised machine.
NotPetya injected its credential-harvesting DLL directly into lsass.exe, extracting every available credential from the infected machine's memory — usernames, NTLM hashes, and potentially cleartext passwords. These credentials were fed into the next propagation stage.
Stage 2: Lateral movement via PsExec and WMI
With harvested credentials in hand, NotPetya enumerated the local network — identifying other hosts through the machine's ARP table and subnet scanning — then attempted to authenticate to each reachable machine using the stolen credentials. Successful authentication was followed by remote execution of the NotPetya payload using two legitimate Windows administration tools: PsExec (a Sysinternals utility for running processes on remote systems) and Windows Management Instrumentation Command-line (WMIC).
This lateral movement method was particularly dangerous because it did not require the target machine to be unpatched or vulnerable in any traditional sense. If a domain administrator had logged into the initially infected machine at any point — leaving their credentials in memory — those domain credentials could be used to authenticate to any other machine on the domain. A single infection on a machine that a privileged user had touched could cascade to every system in the domain environment without triggering any vulnerability-based detection.
Stage 3: EternalBlue and EternalRomance against unpatched SMBv1
For machines that could not be reached via harvested credentials, NotPetya carried two SMB exploitation tools leaked from the NSA: EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0145). Both exploited vulnerabilities in Microsoft's implementation of the SMBv1 protocol. Microsoft had patched both vulnerabilities in MS17-010 on March 14, 2017 — three months before the NotPetya attack. WannaCry had already demonstrated EternalBlue's destructive potential in May 2017. Despite those warnings, a significant proportion of enterprise systems remained unpatched six weeks later.
EternalBlue triggered unauthenticated remote code execution on vulnerable SMBv1 hosts by sending a carefully crafted SMB Trans2 Secondary Request packet. EternalRomance followed a similar exploitation path targeting a different code path in the SMBv1 handler. Either exploit, when successful, gave NotPetya the ability to install itself on a remote machine without any credentials at all.
The combination of credential-based and exploit-based propagation was the design insight that made NotPetya so difficult to contain. Patching MS17-010 blocked the EternalBlue/EternalRomance path but did nothing to prevent credential-based spread via PsExec and WMI. Restricting domain admin credential usage slowed credential-based spread but left unpatched machines vulnerable to the SMB exploits. Organizations needed to address both vectors simultaneously to have any hope of containment once the first machine was infected.
The speed of NotPetya's propagation was documented across multiple corporate victims. A large Ukrainian bank's network was taken down in 45 seconds. Part of Kyiv's transit hub was fully infected in 16 minutes. At Maersk, screens across global offices began going dark within hours of the initial Ukrainian detonation. The credential-based spread mechanism meant that once a single privileged account was compromised anywhere in a domain-joined environment, the entire network could fall before administrators had time to isolate affected systems.
Destruction: MBR overwrite and MFT encryption
After spending approximately one hour spreading through the network, NotPetya executed its destructive payload. The process varied depending on whether the Kaspersky antivirus process (avp.exe) was running — a detection-evasion behavior identified by CrowdStrike researchers — but the destructive outcome was consistent across variants.
On systems without Kaspersky running, NotPetya overwrote the Master Boot Record with a custom bootloader containing 16-bit code that encrypted the Master File Table. The MFT is the NTFS filesystem's central index: it contains the name, size, location, permissions, and metadata for every file on the volume. Encrypting the MFT renders every file on the drive inaccessible even though the file data itself remains physically present on the disk — because without the MFT, the OS has no map to find or read any of those files. NotPetya also encrypted individual files matching a hardcoded list of 65 file extensions covering documents, databases, virtual machine images, source code, and configuration files.
After completing encryption, NotPetya called InitiateSystemShutdownExW() to force an immediate reboot. On restart, instead of the Windows boot sequence, the custom bootloader ran — displaying a fake CHKDSK disk check message while the MFT encryption completed in the background. When the process finished, the screen displayed the ransom note. No decryption path existed. The machine was permanently destroyed.
On systems where Kaspersky was running, NotPetya took a different path: rather than the MBR/MFT overwrite, it overwrote the first ten sectors of the physical disk with uninitialized data — a different destructive approach, but equally unrecoverable.
The Victims: $10 Billion in Documented Destruction
Approximately 80% of NotPetya infections occurred in Ukraine, where the M.E.Doc supply chain had seeded it across virtually every corporate network. Ukrainian government ministries, banks, metro systems, the Boryspil airport, and the radiation monitoring system at the Chernobyl Nuclear Power Plant all went offline on June 27. Oleksandr Kardakov, founder of Oktava Cyber Protection, estimated that the attack stopped roughly a third of Ukraine's economy for three days, causing losses exceeding $400 million within the country alone.
The global damage came from the 20% that escaped through VPN connections linking Ukrainian offices to headquarters in Europe and North America. Companies that had M.E.Doc running on even a single Ukrainian machine — or whose networks were connected to one — found themselves hit with no warning and no time to prepare.
| Organization | Estimated Loss | Impact |
|---|---|---|
| Merck & Co. | $870M | 30,000+ endpoints destroyed; production of Gardasil 9 halted; borrowed 1.8M doses from U.S. emergency stockpile; 18 months to replenish CDC cache valued at $240M |
| FedEx / TNT Express | ~$400M | European operations crippled for weeks; some TNT systems permanently lost; FedEx acknowledged potential permanent data loss; long-term customer attrition |
| A.P. Møller-Maersk | $250–300M | 4,000 servers, 45,000 PCs, 2,500 applications reinstalled in 10 days; 17 of 76 global port terminals disrupted; ports in Los Angeles, Rotterdam, Mumbai reduced to manual operations |
| Mondelez International | $188M | Production and shipping disrupted; filed $100M insurance claim that was denied under "act of war" exclusion; settled confidentially in 2022 |
| Reckitt Benckiser | $129M | Manufacturing and supply chain disrupted; quarterly earnings impact disclosed in regulatory filings |
| Saint-Gobain | ~$80M | IT systems across multiple countries affected; manufacturing and logistics operations impacted |
| WPP | Undisclosed | IT systems across multiple subsidiaries and global offices hit; operations disrupted; did not publicly disclose financial impact |
| Rosneft | Undisclosed | Russia's largest oil company experienced temporary IT disruptions despite being a Russian state entity — demonstrating that the malware spread beyond its intended target |
Maersk's recovery story became one of the defining accounts of what large-scale cyber destruction looks like in practice. Maersk chairman Jim Hagemann Snabe, speaking at the World Economic Forum in Davos in January 2018, described being woken at 4 AM with news of the attack, and what followed over the next ten days. With no IT systems, a company that moves a ship carrying 20,000 containers into port every 15 minutes had to route global shipping manually. Staff printed cargo manifests by hand. Booking systems went dark for days. Port terminals that processed hundreds of containers per hour became parking garages. Maersk managed roughly 80% of its normal volume through human effort alone during the outage. The complete infrastructure rebuild — 4,000 servers, 45,000 PCs, 2,500 applications — was accomplished in ten days in what Snabe called "a heroic effort" that would normally take six months. The total financial impact was $250–300 million in a single quarter.
Merck's situation was more dire in a different dimension. NotPetya hit more than 30,000 Merck endpoints and 7,500 servers. Among the production lines it took offline was the manufacturing process for Gardasil 9, the primary HPV vaccine and a critical cancer prevention tool. Merck was unable to meet market demand for Gardasil 9 throughout the remainder of 2017 and was forced to borrow 1.8 million doses — the entire U.S. emergency stockpile held by the CDC's Pediatric National Stockpile — to fill the gap. Replenishing that emergency supply took 18 months. Total Merck damages were estimated at $870 million.
Attribution: Sandworm and the GRU
Attribution of NotPetya to Russia's military intelligence directorate, the GRU — specifically Unit 74455, known publicly as Sandworm — was reached by multiple independent investigators and subsequently confirmed by Western governments through formal attribution statements.
Sandworm had been active since at least 2009 and had been identified by researchers prior to NotPetya for a series of escalating cyberattacks against Ukraine. In December 2015 and December 2016, the group had executed attacks against Ukrainian electricity infrastructure, disconnecting power to more than 225,000 customers in what were the first confirmed cyberattacks to cause physical blackouts in a civilian power grid. The 2015 attack involved the BlackEnergy malware toolkit; the 2016 attack used Industroyer, a more sophisticated industrial control system-specific weapon. NotPetya represented the same group's shift from targeted infrastructure disruption to indiscriminate large-scale destruction.
The forensic indicators connecting NotPetya to Sandworm included code overlap with prior TeleBots and Sandworm tooling, infrastructure reuse, and the operational timeline. ESET, FireEye, CrowdStrike, and Ukraine's SBU (Security Service) all published attribution to Sandworm. The CIA concluded formally in January 2018 that Russian military intelligence was responsible. The UK Ministry of Defence attributed the attack to Russia in February 2018. The U.S., UK, Australia, Canada, and New Zealand issued joint attribution statements that same month.
Russia denied involvement, pointing to the fact that Russian companies — including Rosneft, the state-controlled oil giant — had also been infected. Researchers assessed this as either unintended collateral damage from an operation that spread beyond its containment parameters, or deliberate cover through controlled infections of Russian entities to provide plausible deniability.
In October 2020, the U.S. Department of Justice unsealed indictments against six GRU officers for their roles in NotPetya and other Sandworm operations. The six defendants — officers of GRU Unit 74455 — were charged with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name. No arrests were made; all six were believed to be in Russia, beyond the reach of extradition.
The Geopolitical Context: Ukraine as Testing Ground
NotPetya did not emerge from a vacuum. It was the most destructive episode in a years-long campaign of Russian cyber operations against Ukraine that accelerated sharply after Russia's 2014 annexation of Crimea and the beginning of the Donbas conflict.
The pattern was consistent: Russia used Ukraine as a laboratory for progressively more destructive cyberweapons, testing capabilities against a real adversary under real operational conditions while calibrating risk. The 2015 and 2016 power grid attacks demonstrated ICS-specific destructive capability. NotPetya demonstrated what happened when you combined supply chain access, worm-propagation exploits, and a wiper with no recovery path — and accepted that collateral damage beyond Ukraine was not a constraint.
The timing of the June 27 attack was deliberate. June 28 was Ukrainian Constitution Day — a national holiday — meaning key government and corporate staff would be away, incident response would be slower, and the destructive payload would have maximum dwell time before large-scale manual intervention could begin.
NotPetya's designers were aware that the M.E.Doc delivery mechanism would seed the initial infection broadly across Ukraine but that network propagation through corporate VPNs would carry it globally. Whether the global spread was intended or accepted as inevitable collateral damage has been debated. Former Homeland Security advisor Tom Bossert stated in his White House assessment that the attack was designed by Russia to cause geopolitical and economic harm. The fact that there was no kill switch — unlike WannaCry, which had one built in — strongly suggests that containment of the global spread was not a design priority.
The Insurance Question: Cyberwar and the Act of War Exclusion
NotPetya's aftermath opened a legal and financial dispute that reshaped the cyber insurance industry and remained unresolved for years after the attack.
Merck had a $1.75 billion "all-risk" property insurance policy with Ace American Insurance. When the company sought coverage for its $870 million in NotPetya damages, Ace American refused to pay, invoking the policy's "acts of war" exclusion clause — the standard insurance provision that excludes coverage for losses caused by hostile or warlike actions by governments. Ace American's position was straightforward: NotPetya was created by a state military intelligence agency as a weapon in an active conflict. It was therefore an act of war, and the exclusion applied.
Merck sued in November 2019. The case centered on whether a cyberattack conducted by a state's military intelligence service against a different country's civilian infrastructure, which caused collateral damage to a company that was not the intended target and had no involvement in the underlying geopolitical conflict, qualified as an "act of war" under a standard property insurance policy that predated the era of state-sponsored cyberattacks.
New Jersey Superior Court Judge Thomas J. Walsh found for Merck. The state appellate court upheld the ruling, finding that the war exclusion clause did not apply to the circumstances of the NotPetya attack. The courts' reasoning aligned with Lloyd's Market Association guidance, which indicates that war exclusions should not apply to cyberattacks conducted outside the theater of conflict or against entities that were not the intended target of a state operation. Merck and Ace American reached a confidential settlement on January 5, 2024.
Mondelez faced a parallel dispute with Zurich American Insurance, which had also denied a claim under the act of war exclusion. That case was settled confidentially in 2022. The combined litigation from NotPetya forced the entire cyber insurance industry to confront questions it had avoided: What does "act of war" mean when the war is cyber and the damage is global? How should policies distinguish between attacks targeting a company directly and collateral damage from state operations aimed at third parties? What coverage terms are appropriate for nation-state cyber operations that may or may not constitute an "act of war" under international law?
The Merck and Mondelez cases produced no binding legal precedent but created strong market pressure on insurers to either clarify or restructure war exclusion language in cyber policies. Lloyd's subsequently published updated guidance distinguishing between cyber operations that constitute war and state-sponsored attacks that do not — guidance that explicitly addresses the "collateral damage" scenario that NotPetya represented. Organizations purchasing cyber insurance should review their policy's war exclusion language specifically and confirm how it applies to nation-state operations targeting third-party infrastructure.
What NotPetya Established
NotPetya's legacy is not primarily in the technical techniques it used — EternalBlue, Mimikatz, and MBR wipers all existed before June 2017. Its legacy is in what it demonstrated about the scale and nature of what state cyberweapons can do, and about the vulnerabilities in global corporate infrastructure that made it possible.
It established that a supply chain compromise of widely deployed commercial software is among the most effective initial access vectors available to a state actor. The M.E.Doc insertion gave Sandworm simultaneous, authenticated, trusted access to an enormous proportion of Ukrainian corporate environments. No phishing campaign could achieve that coverage. No direct exploitation of public-facing services could achieve it with that speed and scale. The lesson — that software update mechanisms are high-value attack targets requiring specific security controls — was documented in the NotPetya postmortems and then demonstrated again in the 2020 SolarWinds attack and the 2021 Kaseya breach, both of which used the same supply chain logic.
It established that corporate network segmentation was dangerously inadequate across even large multinational enterprises. Maersk was hit through a single M.E.Doc installation on a Ukrainian endpoint. The lack of network isolation between that endpoint and global corporate infrastructure allowed the propagation to reach every corner of the enterprise. The principle of segmentation — ensuring that a compromise in one part of the network cannot travel freely to all others — was understood before NotPetya. The attack demonstrated the actual cost of failing to implement it.
It established that offline, immutable backups are a critical resilience requirement, not an optional best practice. Organizations that survived NotPetya intact were those that maintained backup systems completely isolated from the corporate network — systems that the wiper's propagation mechanisms could not reach. Organizations whose backups were connected to the same domain, reachable via the same credentials, or accessible through the same SMB shares as production systems lost their backups alongside everything else.
And it established a question about the laws of armed conflict in cyberspace that remains unresolved: when a state military intelligence agency deploys a cyberweapon against one country, and that weapon escapes to cause billions of dollars in damage to civilian corporations in dozens of other countries that had no connection to the underlying conflict, what legal framework applies? The six GRU officers indicted in 2020 will likely never face trial. The $10 billion in damage was never compensated by any state. The attack defined the frontier of what states are apparently willing to do in cyberspace, and established that the international community had no effective response mechanism for stopping them or holding them accountable afterward.
Key Takeaways
- NotPetya was a wiper, not ransomware. The ransom demand was a deliberate misdirection to make a military cyberweapon look like criminal activity. No decryption path existed. Organizations that paid would not have recovered their systems. The distinction between ransomware (extortion with a recovery path) and a wiper (pure destruction) is operationally critical in incident response.
- The M.E.Doc supply chain attack was the enabling vector. Sandworm's patience — installing the backdoor six weeks before detonation — allowed them to pre-position inside the networks of approximately 400,000 Ukrainian businesses before the attack began. Software update mechanisms are trusted channels that bypass most perimeter security. Supply chain integrity verification is a specific security requirement, not a general hygiene item.
- The dual propagation mechanism made containment nearly impossible. Combining credential-based spread (Mimikatz → PsExec/WMI) with exploit-based spread (EternalBlue/EternalRomance) meant that patching MS17-010 alone, or restricting domain admin credentials alone, was insufficient. Both defenses were needed simultaneously. NotPetya spread from a single infected endpoint to entire domain environments before most organizations could isolate the first machine.
- MBR/MFT destruction produced unrecoverable systems. The attack destroyed the filesystem's index and the operating system's boot mechanism simultaneously. Organizations whose backups were domain-connected lost both production systems and backups in the same infection wave. Offline, isolated backup infrastructure is the only reliable recovery posture for wiper-class malware.
- $10 billion in damage was caused by collateral spread from a targeted national operation. Companies like Maersk, Merck, and FedEx were not Russia's intended targets. They were hit because they had network connections to Ukrainian infrastructure. The attack demonstrated that global corporate networks are structurally exposed to blast radius from conflicts in which they have no involvement.
- The insurance and legal frameworks were not ready for what NotPetya was. The Merck and Mondelez insurance disputes took years to resolve and produced no binding precedent. The GRU officers indicted in 2020 face no realistic prospect of prosecution. NotPetya defined a category of state-sponsored destruction for which the existing legal and insurance architecture had no adequate response — and the gaps that attack exposed remain largely unaddressed.