A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers, and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States, and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.

Security experts believe that the NotPetya attack originated from an update of M.E.Doc, a Ukrainian tax accounting package developed by Intellect Service. M.E.Doc was widely used by tax accountants and businesses in Ukraine, and Mikko Hyppönen, a security expert at F-Secure, described it as a primary accounting software for many Ukrainian firms. Estimates suggest that M.E.Doc had about 400,000 customers across Ukraine, covering approximately 90% of domestic firms.

M.E.Doc provides periodic updates to its program through an update server. On 27 June 2017, a software update was distributed via M.E.Doc's update server, after which reports of the NotPetya ransomware attack began to appear. British cybersecurity researcher Marcus Hutchins stated, "It looks like the software's automatic update system was compromised and used to download and run malware rather than updates for the software." The company that develops M.E.Doc denied any intentional involvement in the ransomware attack, stating that its own systems were also affected and that it was cooperating with law enforcement to investigate the incident. A similar incident occurred on 18 May 2017, when the XData ransomware spread through an M.E.Doc update. Hundreds of accounting departments were affected in Ukraine.

The cyberattack involved malware that resembled Petya ransomware but was later found to function as a wiper rather than traditional ransomware. Like the WannaCry ransomware attack in May 2017, NotPetya used the EternalBlue exploit, which targeted a vulnerability in older versions of the Microsoft Windows operating system. When executed, NotPetya encrypted the master boot record (MBR), preventing the operating system from loading. It then displayed a message demanding USD 300 in Bitcoin, but researchers found that data recovery was not possible. The software also spread within networks by exploiting the Server Message Block (SMB) protocol in Windows. Additionally, NotPetya incorporated Mimikatz, a proof-of-concept tool created in 2011 to demonstrate how Windows stored passwords in memory. Attackers used it to extract credentials, escalate privileges, and move laterally across networked systems.

The EternalBlue exploit had been identified before the WannaCry attack, and Microsoft issued patches in March 2017 to address the vulnerability in Windows Vista, Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2012, and Windows Server 2016. Windows 10 was not affected. However, WannaCry spread through systems that ran older, unsupported Windows versions or had not applied the available security patches. In response to the attack, Microsoft issued new patches for Windows XP, Windows Server 2003 and Windows 8 a day after the WannaCry attack. Security expert Lesley Carhart stated, "Every method of exploitation that the attack used to spread was preventable by well-documented means."

Security experts determined that the variant of Petya used in the 2017 Ukraine cyberattacks had been modified and was subsequently named NotPetya or Nyetna to distinguish it from the original ransomware. NotPetya encrypted entire files, not just the Master File Table (MFT), and in some cases, functioned as a wiper, permanently destroying or irreversibly altering data with no known method of recovery. Some security experts saw that the software could intercept passwords and perform administrator-level actions that could further ruin computer files. They also noted that the software could identify specific computer systems and bypass infection of those systems, suggesting the attack was more surgical in its goal. Unlike the WannaCry software, a "kill switch" was never found in NotPetya, which could have been used to immediately stop its spread. According to Nicholas Weaver of the University of California the hackers had previously compromised M.E.Doc, "made it into a remote-control Trojan, and then they were willing to burn this asset to launch this attack."

During the attack the radiation monitoring system at Ukraine's Chernobyl Nuclear Power Plant went offline. Several Ukrainian ministries, banks, metro systems and state-owned enterprises (Boryspil International Airport, Ukrtelecom, Ukrposhta, State Savings Bank of Ukraine, Ukrainian Railways) were affected. In the infected computers, important computer files were overwritten and thus permanently damaged, despite the malware's displayed message to the user indicating that all files could be recovered "safely and easily" by meeting the attackers' demands and making the requested payment in Bitcoin currency.

The attack has been seen to be more likely aimed at crippling the Ukrainian state rather than for monetary reasons. The attack came on the eve of the Ukrainian public holiday, Constitution Day (celebrating the anniversary of the approval by the Verkhovna Rada (Ukraine's parliament) of the Constitution of Ukraine on 28 June 1996). Most government offices would be empty, allowing the cyberattack to spread without interference. In addition, some security experts saw the ransomware engage in wiping the affected hard drives rather than encrypting them, which would be a further disaster for companies affected by this.