Anatomy of a Breach

Anatomy of a Breach: NotPetya — The $10 Billion Attack That Masqueraded as Ransomware

> series: anatomy_of_a_breach —— part: 102 —— weapon: notpetya —— damage: $10,000,000,000+ —— disguise: ransomware —— reality: cyber_weapon<span class="cursor-blink">_</span>_

Hedgehog Security 30 June 2017 16 min read
notpetya destructive-attack eternalblue maersk merck russia ukraine supply-chain series
Breach #102

$10 billion in damage. Disguised as ransomware. Designed for destruction.

On 27 June 2017, a malware outbreak began in Ukraine and spread globally within hours. Initially mistaken for a variant of the Petya ransomware — hence 'NotPetya' — the malware encrypted the master boot records of infected computers and demanded a $300 Bitcoin ransom. But analysis quickly revealed that NotPetya was not ransomware at all: its encryption was irreversible by design. The payment mechanism was non-functional. The key generation was broken intentionally. NotPetya was a destructive cyber weapon — attributed to Russia's GRU military intelligence — masquerading as ransomware to create confusion.

NotPetya's initial infection vector was a poisoned software update from M.E.Doc — a Ukrainian accounting and tax-filing application used by approximately 80% of Ukrainian businesses. The compromised update installed NotPetya on every M.E.Doc customer's systems simultaneously. From there, NotPetya used EternalBlue and Mimikatz (a credential-harvesting tool) to spread laterally through corporate networks at devastating speed. Any multinational company with operations in Ukraine — or network connectivity to Ukrainian partners — was exposed. The result was the most expensive cyber attack in history: over $10 billion in total global damage.

The Devastation
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Global corporations brought to their knees in hours.

Organisation Impact Cost
Maersk (shipping) 49,000 laptops destroyed, 4,000 servers wiped, 2,500 applications. Entire IT infrastructure rebuilt from scratch in 10 days. $300 million
Merck (pharmaceutical) Manufacturing halted. Vaccine production disrupted. Borrowed $240M of Gardasil vaccine from CDC reserves. $870 million
FedEx/TNT Express European operations paralysed. TNT's systems never fully recovered — some data permanently lost. $400 million
Reckitt Benckiser (UK) Manufacturing and distribution disrupted across Dettol, Nurofen, and Durex brands. $129 million
Mondelēz (food) 1,700 servers and 24,000 laptops destroyed. $188 million
Saint-Gobain (construction) IT systems across 67 countries affected. $384 million
The Supply Chain Attack

One software update. Every company doing business in Ukraine.

NotPetya's initial infection vector — a poisoned M.E.Doc update — was the most consequential supply chain attack in history. M.E.Doc was effectively mandatory for doing business in Ukraine (it was used for mandatory tax filings), meaning every multinational with Ukrainian operations was exposed. Maersk had a single office in Odessa. Through that office's M.E.Doc connection, NotPetya reached Maersk's entire global network — destroying 49,000 laptops and 4,000 servers across 130 countries.

Software Supply Chain Weaponised
NotPetya weaponised the software update mechanism — the same trusted channel that delivers security patches. This is the ultimate supply chain attack: the mechanism designed to keep you secure becomes the mechanism that destroys you. The <a href="/blog/anatomy-of-a-breach-rsa-securid">RSA</a> and <a href="/blog/anatomy-of-a-breach-target">Target</a> supply chain attacks were targeted; NotPetya was indiscriminate. Our <a href="/blog/sector-under-the-microscope-defence-supply-chain">supply chain analysis</a> examines this evolving threat.
Destruction, Not Ransomware
NotPetya's ransomware disguise was deliberate misdirection. The encryption was irreversible, the payment mechanism non-functional, and the key generation broken by design. This parallels <a href="/blog/anatomy-of-a-breach-saudi-aramco-shamoon">Shamoon</a> (2012) but at dramatically larger scale. The lesson: when the goal is destruction, the only defence is resilience — tested backups, segmented networks, and incident response capability.
Collateral Damage at Global Scale
NotPetya was aimed at Ukraine but devastated multinationals worldwide. This 'collateral damage at scale' demonstrated that in a connected world, a cyber weapon targeting one country can cause billions in damage globally. UK companies including Reckitt Benckiser suffered significant losses.
Maersk's 10-Day Rebuild
Maersk rebuilt its entire IT infrastructure — 49,000 laptops, 4,000 servers, 2,500 applications — in 10 days. The company recovered because a single domain controller in Ghana had been offline during the attack (due to a power outage), preserving the Active Directory data needed for rebuilding. Without that lucky break, recovery would have taken months. <a href="/penetration-testing/infrastructure">Our infrastructure testing</a> validates backup integrity and recovery procedures.
Resilience

When destruction is the goal, only resilience survives.

NotPetya proved that prevention alone is insufficient against destructive nation-state attacks delivered through trusted supply chains. The defence requires resilience: immutable offline backups (tested regularly), network segmentation (limiting blast radius), incident response plans (tested and rehearsed), and the recognition that any software vendor, any business partner, any country you operate in could be the vector for the next supply chain attack.

Our infrastructure penetration testing validates segmentation, backup integrity, and recovery procedures. Red team engagements simulate destructive attack scenarios. Cyber Essentials mandates patching and baseline controls. SOC in a Box detects lateral movement and wiper deployment. And UK Cyber Defence provides the crisis management and incident response capability that organisations need when everything is destroyed and the question is: can we rebuild?

Destructive Attack Resilience

NotPetya destroyed $10 billion in corporate infrastructure in a single day. Could your organisation rebuild?

<a href="/penetration-testing/infrastructure">Infrastructure testing</a> validates your recovery capability. <a href="/penetration-testing/red-team">Red team testing</a> simulates destructive scenarios. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects wiper deployment. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> manages the crisis.

Commission a Resilience Assessment Next: UK Parliament Email Attack
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2022

Anatomy of a Breach: Russia-Ukraine — Cyber Warfare as a Component of Kinetic War

Breach #158. On 24 February 2022, Russia invaded Ukraine — and the invasion was accompanied by a sustained cyber offensive that had begun weeks earlier. Hours before the first missiles struck, a cyber attack on Viasat's KA-SAT satellite network disrupted communications across Ukraine and knocked out thousands of wind turbines in Germany. Wiper malware variants — HermeticWiper, IsaacWiper, CaddyWiper — were deployed against Ukrainian government agencies and organisations. The conflict represented the first large-scale integration of cyber operations into conventional warfare, confirming every theoretical scenario about cyber war that security professionals had warned about since Stuxnet.

russia ukraine
15 min read
Anatomy of a Breach 28 February 2018

Anatomy of a Breach: Olympic Destroyer — Russia Attacks the Winter Olympics and Blames Everyone Else

Breach #110. On 9 February 2018, during the opening ceremony of the Pyeongchang Winter Olympics, a destructive cyber attack disrupted the Games' IT infrastructure — taking down the official website, the Wi-Fi in the stadium, and broadcast systems. The malware, dubbed 'Olympic Destroyer', was later attributed to Russia's GRU military intelligence. But the malware had been deliberately designed with false flag code — containing artefacts that pointed to North Korea and China — in a sophisticated attempt to mislead attribution. The attack that demonstrated nation-states will sabotage international sporting events and lie about who did it.

olympic-destroyer pyeongchang
12 min read
Anatomy of a Breach 31 December 2017

Anatomy of a Breach: 2017 Year in Review — The Year Cyber Went Nuclear

Breach #108 and the 2017 finale. The year WannaCry brought the NHS to its knees, NotPetya caused $10 billion in global damage, Equifax lost 147 million Social Security numbers through an unpatched web framework, the Shadow Brokers released the NSA's EternalBlue exploit that powered both attacks, Vault 7 exposed the CIA's arsenal, KRACK broke Wi-Fi, Uber was caught covering up a 57-million-record breach, and the UK Parliament was compromised through weak passwords. The most consequential year in cybersecurity history — and the year this series reached article #100.

data-breach year-in-review
14 min read
All Posts Get in Touch