Hubbry Logo
2017 Ukraine ransomware attacks2017 Ukraine ransomware attacksMain
Open search
2017 Ukraine ransomware attacks
Community hub
2017 Ukraine ransomware attacks
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
2017 Ukraine ransomware attacks
2017 Ukraine ransomware attacks
2017 Ukraine ransomware attacks
View on Wikipedia
from Wikipedia

2017 Ukraine ransomware attacks
Part of Russo-Ukrainian war
Petya's ransom note displayed on a compromised system
Date27–28 June 2017 (2017-06-27 – 2017-06-28)
Location Ukraine[1]
Other locations
TypeCyberattack
CauseMalware, ransomware, wiper, cyberterrorism
OutcomeAffected several Ukrainian ministries, banks, metro systems and state-owned enterprises
Suspects Russia (according to statements of Ukrainian authorities, Michael N. Schmitt and CIA)[5][6][7][8][9]
For the May 2017 worldwide EternalBlue WannaCry cyberattack, see WannaCry ransomware attack.

A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms.[10] Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia.[3][11][12] ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%.[2] On 28 June 2017, the Ukrainian government stated that the attack was halted.[13] On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.[14]

Approach

[edit]

Security experts believe that the NotPetya attack originated from an update of M.E.Doc, a Ukrainian tax accounting package developed by Intellect Service.[2] M.E.Doc was widely used by tax accountants and businesses in Ukraine,[15] and Mikko Hyppönen, a security expert at F-Secure, described it as a primary accounting software for many Ukrainian firms.[2] Estimates suggest that M.E.Doc had about 400,000 customers across Ukraine, covering approximately 90% of domestic firms.[8]

M.E.Doc provides periodic updates to its program through an update server. On 27 June 2017, a software update was distributed via M.E.Doc's update server, after which reports of the NotPetya ransomware attack began to appear. British cybersecurity researcher Marcus Hutchins stated, "It looks like the software's automatic update system was compromised and used to download and run malware rather than updates for the software."[2] The company that develops M.E.Doc denied any intentional involvement in the ransomware attack, stating that its own systems were also affected, and that it was cooperating with law enforcement to investigate the incident.[15][16] A similar incident occurred on 18 May 2017, when the XData ransomware spread through a compromised update of M.E.Doc. Hundreds of accounting departments were affected in Ukraine.[17]

The cyberattack involved malware that resembled Petya ransomware but was later found to function as a wiper rather than traditional ransomware. Like the WannaCry ransomware attack in May 2017, NotPetya used the EternalBlue exploit, which targeted a vulnerability in older versions of the Microsoft Windows operating system. When executed, NotPetya encrypted the master boot record (MBR), preventing the operating system from loading. It then displayed a message demanding USD 300 in Bitcoin, but researchers found that data recovery was not possible. The software also spread within networks by exploiting the Server Message Block (SMB) protocol in Windows. Additionally, NotPetya incorporated Mimikatz, a proof-of-concept tool created in 2011 to demonstrate how Windows stored passwords in memory. Attackers used it to extract credentials, escalate privileges, and move laterally across networked systems.[18]

The EternalBlue exploit had been identified before the WannaCry attack, and Microsoft issued patches in March 2017 to address the vulnerability in Windows Vista, Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2012, and Windows Server 2016. Windows 10 was not affected.[19] However, WannaCry spread through systems that ran older, unsupported Windows versions or had not applied the available security patches. In response to the attack, Microsoft issued new patches for Windows XP, Windows Server 2003 and Windows 8 a day after the WannaCry attack.[19] Security expert Lesley Carhart stated, "Every method of exploitation that the attack used to spread was preventable by well-documented means."[20]

Security experts determined that the variant of Petya used in the 2017 Ukraine cyberattacks had been modified and was subsequently named NotPetya or Nyetna to distinguish it from the original ransomware. NotPetya encrypted entire files, not just the Master File Table (MFT), and in some cases, functioned as a wiper, permanently destroying or irreversibly altering data, with no known method of recovery.[21][22][23] Some security experts saw that the software could intercept passwords and perform administrator-level actions that could further ruin computer files. They also noted that the software could identify specific computer systems and bypass infection of those systems, suggesting the attack was more surgical in its goal.[20] Unlike the WannaCry software, a "kill switch" was never found in NotPetya, which could have been used to immediately stop its spread.[24] According to Nicholas Weaver of the University of California the hackers had previously compromised M.E.Doc "made it into a remote-control Trojan, and then they were willing to burn this asset to launch this attack."[8]

Attack

[edit]
Further information: Petya (malware)

During the attack the radiation monitoring system at Ukraine's Chernobyl Nuclear Power Plant went offline.[25] Several Ukrainian ministries, banks, metro systems and state-owned enterprises (Boryspil International Airport, Ukrtelecom, Ukrposhta, State Savings Bank of Ukraine, Ukrainian Railways) were affected.[26] In the infected computers, important computer files were overwritten and thus permanently damaged, despite the malware's displayed message to the user indicating that all files could be recovered "safely and easily" by meeting the attackers' demands and making the requested payment in Bitcoin currency.[27]

The attack has been seen to be more likely aimed at crippling the Ukrainian state rather than for monetary reasons.[15] The attack came on the eve of the Ukrainian public holiday, Constitution Day (celebrating the anniversary of the approval by the Verkhovna Rada (Ukraine's parliament) of the Constitution of Ukraine on 28 June 1996).[28][29][30] Most government offices would be empty, allowing the cyberattack to spread without interference.[15] In addition, some security experts saw the ransomware engage in wiping the affected hard drives rather than encrypting them, which would be a further disaster for companies affected by this.[15]

A short time before the cyberattack began, it was reported that a senior intelligence officer and head of a special forces detachment unit of the Ukrainian Chief Directorate of Intelligence, colonel Maksym Shapoval, was assassinated in Kyiv by a car bomb.[31] Former government adviser in Georgia and Moldova Molly K. McKew believed this assassination was related to the cyberattack.[32]

On 28 June 2017 the Ukrainian government stated that the attack was halted, "The situation is under complete control of the cyber security specialists, they are now working to restore the lost data."[13]

Following the initial 27 June attack, security experts found that the code that had infected the M.E.Doc update had a backdoor that could potentially be used to launch another cyberattack. On seeing signs of another cyberattack, the Ukrainian police raided the offices of M.E.Doc on 4 July 2017 and seized their servers. M.E.Doc's CEO stated that they were not aware there had been a backdoor installed on their servers, again refuted their involvement in the attack, and were working to help authorities identify the source.[33][34] Security company ESET found that the backdoor had been installed on M.E.Doc's updater service as early as 15 May 2017, while experts from Cisco Systems' Talos group found evidence of the backdoor as early as April 2017; either situation points to the cyberattack as a "thoroughly well-planned and well-executed operation".[35] Ukrainian officials have stated that Intellect Service will "face criminal responsibility", as they were previously warned about lax security on their servers by anti-virus firms prior to these events but did not take steps to prevent it.[36] Talos warned that due to the large size of the M.E.Doc update that contained the NotPetya malware (1.5 gigabytes), there may have been other backdoors that they have yet to find, and another attack could be possible.[35]

Attribution

[edit]

On 30 June, the Security Service of Ukraine (SBU) reported that it had seized equipment allegedly used to launch the cyberattack, stating that it belonged to Russian agents responsible for the attack.[37] On 1 July 2017, the SBU stated that available data indicated the perpetrators of the December 2016 attacks on Ukraine's financial system, transport and energy infrastructure, which used TeleBots and BlackEnergy,[38] were the same groups responsible for the 27 June 2017 attack. "This testifies to the involvement of the special services of Russian Federation in this attack," it concluded.[7][39] A December 2016 cyberattack on a Ukrainian state energy system caused a power outage in northern Kyiv.[7] Russia–Ukraine relations have remained strained since Russia's 2014 annexation of Crimea and the subsequent conflict in eastern Ukraine, which had resulted in more than 10,000 deaths by late June 2017.[7] Russia has denied sending troops or military equipment to eastern Ukraine.[7] Ukraine has described cyberattacks on its state institutions as part of "hybrid war" waged by Russia.[7]

On 30 June 2017, cybersecurity firm ESET attributed the attack to the TeleBots group, which it stated had links to BlackEnergy. "Prior to the outbreak, the Telebots group targeted mainly the financial sector. The latest outbreak was directed against businesses in Ukraine, but they apparently underestimated the malware's spreading capabilities. That's why the malware went out of control."[7] ESET had previously reported that BlackEnergy had been targeting Ukraine's cyber infrastructure since 2014.[40] In December 2016, ESET concluded that TeleBots had evolved from the BlackEnergy group and had used cyberattacks to sabotage Ukraine's financial sector during the second half of 2016.[41]

Around the time of the 4 July raid on M.E.Doc, the $10,000 in bitcoin already collected in the listed wallets for NotPetya had been withdrawn, and experts speculated it was used to buy space on the anonymous Tor network. One message posted there, allegedly from the NotPetya authors, demanded 100,000 bitcoin (about $2.6 million) to halt the attack and decrypt all affected files.[33] On 5 July 2017, a second message, also allegedly from the NotPetya authors, was posted on a Tor website, demanding that those seeking to decrypt their files send 100 bitcoin (approximately $250,000). The message was signed with the same private key used by the original Petya ransomware, suggesting that the same group was responsible for both.[42]

According to reports cited in January 2018, the United States Central Intelligence Agency claimed that Russia was responsible for the cyberattack, alleging that Russia's Main Intelligence Directorate (GRU) had designed NotPetya.[43] Similarly, in February 2018, the United Kingdom Ministry of Defence accused Russia of launching the cyberattack, stating that by targeting systems in Ukraine, the attack had spread and affected major systems in the United Kingdom and elsewhere. Russia denied involvement, noting that Russian systems were also impacted by the attack.[44]

Wired technology writer Andy Greenberg, in reviewing the history of the cyberattacks, stated that the attacks were attributed to a Russian military hacker group called "Sandworm". Greenberg claimed that Sandworm was responsible for the 2016 blackouts in Kyiv, among other incidents. The group had reportedly been targeting Ukraine's financial sector, and sometime in early 2017, allegedly gained access to M.E.Doc's update servers, which were then used to distribute the malware that facilitated the cyberattack in June 2017.[18]

Affected companies

[edit]

Companies affected include Antonov, Kyivstar, Vodafone Ukraine, lifecell, TV channels STB, ICTV and ATR, Kyiv Metro, UkrGasVydobuvannya (UGV), gas stations WOG, DTEK, EpiCentre K, Kyiv International Airport (Zhuliany), Prominvestbank, Ukrsotsbank, KredoBank, Oshchadbank and others,[13] with over 1,500 legal entities and individuals having contacted the National Police of Ukraine to indicate that they had been victimized by 27 June 2017 cyberattack.[45] Oshchadbank was again fully functional on 3 July 2017.[46] Ukraine's electricity company's computers also went offline due to the attack; but the company continued to fully operate without using computers.[8]

While more than 80% of affected companies were from Ukraine,[needs update] the ransomware also spread to several companies in other geolocations, due to those businesses having offices in Ukraine and networking around the globe. Non-Ukrainian companies reporting incidents related to the attack include food processor Mondelez International,[47] the APM Terminals subsidiary of international shipping company A.P. Moller-Maersk, the FedEx shipping subsidiary TNT Express (in August 2017 its deliveries were still disrupted due to the attack),[48] Chinese shipping company COFCO Group, French construction materials company Saint Gobain,[49] advertising agency WPP plc,[50] Heritage Valley Health System of Pittsburgh,[51] law firm DLA Piper,[52] pharmaceutical company Merck & Co.,[53] consumer goods maker Reckitt Benckiser, and software provider Nuance Communications.[54] A Ukrainian police officer believes that the ransomware attack was designed to go global so as to distract from the directed cyberattack on Ukraine.[55]

The cost of the cyberattack had yet to be determined, as, after a week of its initial attack, companies were still working to mitigate the damage. Reckitt Benckiser lowered its sales estimates by 2% (about $130 million) for the second quarter primarily due to the attack that affected its global supply chain.[54][56] Tom Bossert, the Homeland Security adviser to the President of the United States, stated that the total damage was over US$10 billion.[18] Among estimated damages to specific companies included over US$870 million to Merck, US$400 million to FedEx, US$384 million to Saint-Gobain, and US$300 million to Maersk.[18]

Reaction

[edit]

Secretary of the National Security and Defence Council of Ukraine Oleksandr Turchynov claimed there were signs of Russian involvement in the 27 June cyberattack, although he did not give any direct evidence.[57] Russian officials have denied any involvement, calling Ukraine's claims "unfounded blanket accusations".[37] NATO Secretary-General Jens Stoltenberg vowed on 28 June 2017 that NATO would continue its support for Ukraine to strengthen its cyber defence.[58] The White House Press Secretary released a statement on 15 February 2018 attributing the attack to the Russian military, calling it "the most destructive and costly cyberattack in history."[59]

IT-businessman, chairman of the supervisory board of the Oktava Capital company Oleksandr Kardakov proposed to create civil cyber defense in Ukraine.[60]

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

2017 Ukraine ransomware attacks

View on Grokipedia
from Grokipedia
The 2017 Ukraine ransomware attacks, known as NotPetya, constituted a wiper malware campaign initiated on June 27, 2017, that masqueraded as ransomware while primarily functioning to destroy data on infected systems, beginning with Ukrainian targets before spreading globally via network propagation and supply chain vulnerabilities. The exploited the vulnerability in unpatched Windows systems, combined with credential theft and lateral movement techniques, originating from a compromised software update for Ukraine's M.E.Doc tax preparation tool, which facilitated initial infections among thousands of Ukrainian organizations including government agencies, banks, and the state power company . Although it displayed a ransom demand in Ukrainian and provided a address for payment, analysis revealed no viable decryption mechanism, rendering recovery impossible and classifying it as destructive rather than profitable , with only minimal ransoms collected before the address was disabled. The attack inflicted over $10 billion in damages worldwide, disrupting operations at multinational firms such as shipping giant , pharmaceutical company Merck, and logistics provider FedEx's TNT unit, while highlighting vulnerabilities in global supply chains and prompting reevaluations in policies due to exclusions for state-sponsored acts. Attribution by U.S., , and Australian authorities pointed to Russia's military intelligence agency unit Sandworm, linking code similarities and tactics to prior Ukrainian-targeted operations amid the ongoing Russo-Ukrainian conflict, underscoring the campaign's role in rather than mere criminal extortion.

Background and Context

Geopolitical Tensions

The 2017 NotPetya attacks unfolded against the backdrop of intensified Russia-Ukraine hostilities initiated by Russia's annexation of in March 2014 and the outbreak of separatist conflict in the region in April 2014, which together catalyzed a sustained campaign incorporating cyber disruptions alongside kinetic operations and . These developments followed Ukraine's Revolution in late 2013–early 2014, prompting Russian intervention to counter perceived Western encroachment in its , with cyber elements emerging as a deniable tool to undermine Ukrainian stability without escalating to full conventional war. Russia's hybrid strategy exploited Ukraine's structural weaknesses, including aging Soviet-era and dependence on legacy software systems like the widely used M.E.Doc reporting application, which suffered from inadequate patching and update mechanisms amid economic pressures from the conflict. Western sanctions imposed on Russia post-2014, targeting its and financial sectors, further strained bilateral ties but did little to bolster Ukraine's cyber defenses, leaving critical sectors such as , , and exposed to targeted disruptions that mirrored patterns in earlier Russian-linked operations. Western intelligence assessments attributed NotPetya to Russia's (GRU), specifically the Sandworm unit, citing code overlaps with prior Ukrainian-targeted and operational timing aligned with escalating hostilities, though rejected these claims as unsubstantiated and consistent with its policy of conducting influence and disruption via cutouts to preserve . This attribution framework positioned the incident within a sequence of proxy-enabled aggressions, distinguishing state-sponsored from opportunistic by its disproportionate focus on Ukrainian entities and lack of viable financial pathways.

Preceding Cyber Operations

In December 2015, Russian-linked actors conducted a on Ukraine's power grid using , compromising three regional electricity distribution companies and causing power outages for approximately 230,000 customers in for several hours. The operation involved spear-phishing emails with malicious attachments that deployed the , allowing remote access to industrial control systems, manual overrides of circuit breakers, and subsequent deployment of KillDisk wiper to erase logs and hinder recovery. Cybersecurity analyses by firms such as Dragos and the U.S. Department of attributed the attack to the Sandworm group, associated with Russian military intelligence through shared infrastructure and tactics observed in prior operations. A subsequent attack on December 17, 2016, targeted a transmission-level substation in Kiev using (also known as CrashOverride), the first specifically designed to disrupt operations by exploiting multiple industrial protocols like IEC 101, IEC 104, and OPC DA. This caused a one-hour blackout affecting parts of the capital, with attackers gaining remote access via VPN credentials and deploying modular payloads to manipulate substation controls before wiping systems. and Dragos researchers linked it to the same /Sandworm actors based on code similarities, reconnaissance patterns, and command-and-control servers overlapping with the 2015 incident, indicating a progression in sophistication from remote manual intervention to automated protocol manipulation. These operations reflect a pattern of escalating cyber intrusions into Ukrainian critical infrastructure amid the Russo-Ukrainian conflict, with empirical evidence from tool reuse—such as BlackEnergy variants and shared C2 domains—suggesting continuity by state-affiliated groups, as documented in reports from the Center for Strategic and International Studies. However, some analyses caution that while tactics align with Russian military doctrine, direct Kremlin orchestration remains unproven beyond circumstantial indicators, potentially involving semi-autonomous proxies exploiting geopolitical tensions rather than centralized command. This reuse of capabilities across incidents, without confirmed independent actors, underscores a causal trajectory of targeted disruption predating the 2017 NotPetya wiper deployment.

Malware Analysis

Core Functionality

NotPetya malware operated as a destructive wiper masquerading as , prioritizing obliteration over financial . Upon activation, it scanned for files with over 180 targeted extensions across all local drives and encrypted them using the AES-128 , deriving a random encryption key through the Windows CryptGenKey API; this key was then encrypted with RSA-2048 public key material embedded in the and immediately destroyed, ensuring no viable decryption path. It subsequently encrypted the Master File Table (MFT)—a critical structure indexing all files—via the Salsa20 , generating a random 32-byte key and 8-byte nonce with CryptGenRandom before overwriting the key, which rendered the irreparably inaccessible without forensic intervention. To prevent system boot, NotPetya overwrote the Master Boot Record (MBR) sectors with a custom loader, preserving the original MBR via XOR encoding (using key 0x7) in a hidden sector for potential display during the fake recovery process. This triggered a boot-time screen mimicking prior Petya variants, featuring a skull icon, a countdown, and a ransom demand for 300 USD in Bitcoin to a fixed address (1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX), accompanied by a randomly generated "personal installation key" and instructions to email a support address for a supposed master key. However, the malware lacked any functional recovery key generation or transmission mechanism; all victims received identical, hardcoded key material that failed to decrypt data, confirming its wiper intent as payments to the address totaled under $10,000 despite global spread, and the email domain was deactivated shortly after deployment. A hardcoded "" check—if a file named perfc.dat existed in C:\Windows—the aborted its execution, avoiding self-infection on prepared systems but underscoring non-profit motives, as this feature bypassed widespread collection opportunities. Forensic examinations identified code overlaps with tools linked to Russian military intelligence (), such as credential extraction via —a password-dumping utility reused across operations including destructive Ukraine-targeted campaigns—distinguishing it from opportunistic through embedded logic rather than exfiltration or .

Propagation Mechanisms

NotPetya demonstrated worm-like self-propagation by exploiting vulnerabilities in the version 1 (SMBv1) protocol, primarily through the exploit (CVE-2017-0144), which originated from the U.S. and was publicly leaked by group in April 2017. This allowed initial infection of unpatched Windows systems via remote code execution over SMB, with the malware scanning for open TCP ports 139 and 445 to identify vulnerable hosts. Complementing EternalBlue, the malware incorporated the EternalRomance exploit (CVE-2017-0145) and the backdoor for additional lateral movement, enabling and persistence on compromised endpoints without requiring user interaction. These mechanisms targeted systems unpatched by Microsoft's MS17-010 security bulletin, released on March 14, 2017. For broader network traversal, NotPetya employed credential dumping using a modified version of the tool to extract authentication material from the Local Security Authority Subsystem Service (LSASS) process, facilitating pass-the-hash attacks. Dumped credentials enabled access to such as ADMIN,C, C, and IPC$, where the malware copied itself as a (e.g., perfc.dat) and executed remotely via tools like PsExec (disguised as dllhost.dat) or Command-line (WMIC). This combination of exploit-based entry and credential-augmented propagation exploited weak , allowing rapid dissemination within domains where administrative privileges were insufficiently isolated. The absence of robust segmentation amplified the malware's reach, as infected hosts autonomously attempted connections to discovered peers using harvested credentials or exploits.

Distinguishing Features from Ransomware

NotPetya differed fundamentally from profit-driven ransomware strains like CryptoLocker or Locky by lacking any viable decryption mechanism, functioning instead as destructive wiper malware disguised with a ransom demand interface to obscure its intent and maximize disruption. The malware employed a single, hardcoded AES-128 key for encrypting the master file table (MFT) and files, generated from a fixed boot sector value, which prevented attackers from providing unique decryption keys even if payments were made. This design ensured irreversible data loss without external backups, contrasting with typical ransomware that facilitates recovery post-payment to encourage further victim compliance. Analysis of the malware's payment infrastructure revealed a non-functional Tor onion service that returned hardcoded, invalid responses to victim-submitted IDs, confirming no operational ransom recovery path existed. Blockchain tracking of the designated Bitcoin wallet, address 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX, showed only about $10,000 in total receipts from roughly a successful transactions amid 45 payment attempts, representing far less than 1% of the estimated tens of thousands of infections worldwide. This negligible financial yield, juxtaposed against billions in global damages, underscored non-monetary objectives, such as amplifying chaos in a geopolitical context rather than generating revenue. Although initial deployment targeted via compromised updates to the M.E.Doc tax accounting software, NotPetya's worm-like propagation—leveraging and EternalRomance exploits for lateral movement—enabled indiscriminate spread across networks, infecting entities far beyond intended victims and diverging from the contained, victim-selection typical of financially motivated . This hybrid targeting and rapid escalation sowed widespread confusion by mimicking tactics while prioritizing destruction over extortion.

Attack Timeline and Execution

Initial Deployment

The initial deployment of the , later identified as NotPetya, occurred on June 27, 2017, via a compromise of M.E.Doc, a popular Ukrainian preparation and used by hundreds of thousands of businesses for electronic reporting to tax authorities. Attackers had infiltrated the M.E.Doc update servers, enabling them to distribute a trojanized software update that installed the on systems of users who downloaded it, primarily affecting Ukrainian entities reliant on the tool for compliance. This vector allowed rapid initial infection across multiple organizations without requiring direct or beyond routine software maintenance. The timing of the attack aligned precisely with Ukraine's quarterly deadline for (VAT) declarations, a period of heightened activity for tax software usage, thereby maximizing operational disruption to , banking, and targets. Infected systems displayed a screen lock overlaid with a note claiming of critical files and demanding payment of 300 USD in to a specified wallet for a decryption tool, though subsequent revealed the malware's destructive intent overrode any viable recovery mechanism. The note included instructions to email a unique victim ID to an for further details, but responses ceased after initial waves, underscoring the operation's focus on rather than profit.

Spread Within Ukraine

The NotPetya , initially propagated through a compromised software update for M.E.Doc, a popular Ukrainian tax accounting application used by thousands of businesses, began infecting systems on June 27, 2017. This vector enabled rapid initial penetration among Ukrainian entities reliant on the tool for mandatory fiscal reporting, with the exploiting the update mechanism to deploy its payload before leveraging lateral movement techniques, including the vulnerability, to escalate within networks. Infections quickly extended to critical infrastructure, crippling over 22 banks, including , where automated teller machines (ATMs) and payment systems went offline, halting cash withdrawals and transactions nationwide. The state-owned energy firm and at least five other power companies suffered outages, disrupting electricity distribution and operational controls. , Ukraine's largest, experienced system failures that suspended check-in and flight information services, forcing reliance on manual processes. Government ministries, including the Cabinet of Ministers' networks, faced widespread and , while the Chernobyl nuclear site lost automated monitoring capabilities, compelling personnel to conduct manual inspections of the . These disruptions, concentrated primarily in where the majority of early detections occurred, necessitated manual workarounds and system rebuilds from backups, prolonging recovery as automated tools proved ineffective against the malware's overwrite.

Global Propagation

The NotPetya malware, deployed initially in on June 27, 2017, exhibited worm-like propagation that enabled rapid dissemination beyond its primary targets, exploiting unpatched Microsoft Windows vulnerabilities via the SMB exploit. This self-propagating mechanism, akin to that observed in the earlier WannaCry incident, allowed the malware to scan and infect networked systems automatically, traversing organizational boundaries through interconnected enterprise environments rather than relying solely on or manual deployment. Global infections emerged within hours to days of the Ukrainian outbreak, as the leveraged lateral movement across supply chains linking multinational firms. For example, it infiltrated Maersk's global software networks, which relied on shared Ukrainian accounting tools and unsegmented internal systems, paralyzing container tracking and operations across continents by June 28. Similarly, Merck's pharmaceutical production and infrastructures were compromised through analogous network exposures, halting and manufacturing lines that spanned international facilities. These incidents underscored how dependencies on third-party software updates and inadequately isolated IT environments amplified the blast radius, with infections documented in by late June 27, followed by , the , and within 48 hours. The propagation was not indicative of deliberate worldwide targeting but rather a consequence of systemic failures in , including delayed application of Microsoft's March patches for , which left diverse global entities susceptible to automated exploitation. Firms like in the U.S. and in reported disruptions tied to this opportunistic spread, highlighting the fragility of just-in-time supply chains where a single foothold in one node cascades to affiliates via routine data exchanges and shared protocols. This dynamic revealed causal vulnerabilities in hyper-connected digital ecosystems, where the malware's design prioritized destructive over containment, inadvertently escalating a regionally focused operation into a transnational .

Immediate Impacts

Ukrainian Sector Disruptions

The NotPetya malware, deployed on June 27, 2017, severely disrupted Ukraine's financial sector, with over 22 banks affected, including Oschadbank, the country's second-largest state-owned bank, where approximately 90% of computers were locked, halting operations across its network. Oschadbank closed more than 3,650 branches and 2,850 ATMs, while 's ATMs displayed messages indicating cash withdrawals were unavailable due to technical issues, leading to widespread difficulties in accessing funds. In the energy sector, six power companies, including , suffered network infections that necessitated a shift to manual dispatch and operations to maintain service continuity, building on prior vulnerabilities exposed in a 2016 . Monitoring systems at the also went offline, though no power outages were reported from these disruptions. Healthcare facilities faced significant setbacks, with at least four hospitals in experiencing wiped computer systems, forcing staff to revert to pen-and-paper records for patient intake and operations. The Ministry of Health's centralized medicine distribution process broke down, requiring manual coordination via 24 phone calls across regions instead of automated emails. Transportation infrastructure was paralyzed in key areas, including the , railways, and port, where infected systems halted automated processes and card payment terminals, rendering operations ineffective. Kyiv's main airport also reported disruptions tied to the broader attack wave.

Economic Costs in Ukraine

The NotPetya malware attack inflicted direct economic harm on Ukraine estimated at up to $560 million, equivalent to approximately 0.5% of the country's 2017 GDP of $112 billion. This figure, derived from expert assessments including those referencing Ukrainian media reports, encompasses business interruptions, system restoration costs, and lost productivity, though analyses question its upper-bound accuracy given the attack's transitory nature on most affected entities. The malware's propagation via compromised updates to the widely used M.E.Doc tax accounting software—serving hundreds of thousands of primarily small and medium-sized enterprises (SMEs)—led to operational disruptions across thousands of Ukrainian businesses, halting invoicing, payroll, and tax filings for days to weeks. Sectors such as energy, banking, and faced acute downtime, with state-owned entities like and reporting extended outages, but SMEs bore a disproportionate burden due to limited redundancy and reliance on the infected software. Recent evaluations, including 2024-2025 insurance and cybersecurity analyses, indicate Ukraine's damages were far lower than global hype implied, with over 95% of the oft-cited $10 billion worldwide total accruing externally through spillovers rather than domestic effects. These studies emphasize that the impact fell below thresholds for "severe" cyber catastrophes (0.2-2% GDP), attributing perceived exaggeration to aggregated international claims and underappreciation of Ukrainian operational resilience, such as offline or air-gapped backups that enabled partial recoveries without full in resilient firms.

Broader Consequences

International Victims and Supply Chain Effects

The NotPetya malware rapidly propagated beyond , infecting systems in organizations across multiple countries and disrupting international operations. Multinational corporations reliant on global networks suffered cascading failures due to the 's use of the exploit in unpatched Windows systems, enabling lateral movement across s. In the shipping sector, Danish firm A.P. Møller–Mærsk A/S experienced severe disruptions, with its IT systems worldwide shutting down and forcing manual operations at ports from Europe to Asia. The attack idled container terminals, halted vessel bookings, and delayed cargo handling, contributing to an estimated financial loss of $250–300 million for the company in lost revenue and recovery costs during the third quarter of 2017. These interruptions rippled through global trade logistics, underscoring vulnerabilities in interconnected maritime supply chains. The pharmaceutical industry faced production halts, notably at U.S.-based Merck & Co., where manufacturing facilities were crippled, preventing bulk production of vaccines including Gardasil 9 for human papillomavirus. This led to sales reductions of approximately $135 million and additional operational costs exceeding $175 million in the immediate aftermath. Supply shortages ensued, with Merck borrowing stockpiles from government reserves to meet demand, highlighting risks to healthcare product distribution chains. Logistics provider , a subsidiary of , reported damages of at least $300 million from system outages that impaired delivery operations across and beyond. Consumer goods firms like also encountered disruptions in manufacturing and distribution, further exposing how third-party software updates in supply chains could amplify spread to unsegmented networks. Overall, these incidents revealed systemic weaknesses in global enterprise IT, where reliance on outdated or vulnerable Windows configurations facilitated widespread economic .

Global Economic Damages

The assessed total global damages from the NotPetya attack at more than $10 billion, encompassing direct losses, operational disruptions, and indirect economic effects across multiple continents. This figure, derived from a U.S. government evaluation, highlighted the attack's propagation beyond via unpatched vulnerabilities and vectors like Ukrainian tax software, affecting sectors including shipping, pharmaceuticals, and . Specific corporate disclosures provide granular evidence of the scale: , the Danish shipping firm, reported losses of $250–300 million in the third quarter of 2017 alone, primarily from halted container operations at 76 ports worldwide and manual workarounds that delayed global trade flows. revised its initial $300 million estimate upward to approximately $1 billion, accounting for extended interruptions. Merck & Co. incurred over $310 million in sales losses and remediation costs, later pursuing a $1.4 billion insurance claim for wiped systems affecting production. Debates persist over potential overestimation in aggregate figures, with some analyses critiquing the $10 billion valuation as hyped amid broader narratives of cyber catastrophe risks, while verifiable lost from public earnings reports totaled around $892.5 million by mid-2017. payouts faced complications from war-exclusion clauses, as seen in denials for claims like Mondelez's $100 million, underscoring causal factors such as inadequate patch deployment—exacerbated by Microsoft's delayed updates for legacy systems—and prompting subsequent enhancements in for software hygiene.

Attribution and Controversies

Technical and Intelligence Evidence

Cybersecurity researchers at uncovered a backdoor in the NotPetya matching the TeleBots framework, with code overlaps to an evolved version of the backdoor deployed by the same actors in the 2016 Ukrainian power grid compromise. These similarities encompassed adapted XML-based communication and configuration structures, diverging from binary formats in earlier variants but retaining core modular designs for network infiltration and persistence. The malware's propagation relied on reused exploits such as —originally an NSA tool exposed via leaks—and credential-dumping utilities like , integrated into a custom payload that targeted master boot records for irreversible disruption rather than recoverable encryption. This combination of lateral movement techniques and destructive wiper functionality mirrored toolsets from prior campaigns against Ukrainian targets, as detailed in forensic breakdowns by firms including , which noted the unprecedented speed and scope enabled by these inherited components. The initial breach of M.E.Doc's update infrastructure in spring 2017 positioned attackers to deliver the payload via a routine software patch on , escalating to widespread activation on amid Ukraine's pre-holiday lull, a timing pattern suggesting coordinated access to persistent footholds and resources unbound by commercial operational constraints. CrowdStrike's disassembly further evidenced hardcoded network scanning and SMB exploitation tailored for high-volume spread, aligning with intelligence on advanced actors' iterative refinement of bespoke modules over opportunistic adaptations.

State Sponsorship Claims

In February 2018, the and publicly attributed the NotPetya attacks to Russia's military, specifically identifying the Main Intelligence Directorate () as responsible for deploying the as part of a destructive cyber campaign targeting . The statement emphasized the operation's recklessness, noting its origins in Russian government-controlled infrastructure and its alignment with prior tactics against Ukrainian critical sectors. Subsequent U.S. intelligence assessments, including from the CIA, reinforced this by linking the attack to Russian military hackers aiming to cripple Ukraine's financial and governmental systems, consistent with ongoing efforts to destabilize the country amid its Western-oriented reforms. In October 2020, the U.S. Department of Justice indicted six officers from Unit 74455—also known as Sandworm—for orchestrating NotPetya alongside other global campaigns, citing forensic ties to Russian military networks and operational patterns. Australia, Canada, and New Zealand echoed these attributions shortly thereafter, with the Australian government condemning Russia for endangering global economic stability through state-directed actions originating in Ukraine. Western officials framed the motives as punitive, targeting Ukraine's infrastructure to hinder its anti-corruption drives and deepening ties with NATO and the European Union, thereby pressuring Kyiv away from Western integration. Such public state sponsorship claims by coalition partners have been credited with enhancing deterrence against future hybrid aggression by imposing reputational and potential sanction costs on perpetrators, though analysts note the inherent risks of escalation, as explicit attributions could prompt reciprocal cyber or kinetic responses in an under-regulated domain.

Denials and Counterarguments

The Russian government has consistently denied any involvement in the 2017 NotPetya attacks, with Kremlin spokesman Dmitry Peskov describing U.S. and U.K. attributions to Russian military intelligence as "unsubstantiated and groundless" on February 16, 2018. Peskov further rejected the accusations as lacking evidence, emphasizing that Moscow viewed them as politically motivated without forensic proof linking the operations directly to state directives. Russian officials and state media have portrayed the incident as stemming from Ukrainian cybersecurity shortcomings, particularly vulnerabilities in the M.E.Doc tax software used to propagate the , rather than a coordinated state-sponsored campaign. They have dismissed Western claims as "Russophobic" narratives, arguing that the attacks' global spread resulted from opportunistic exploitation of known flaws like , a exploit leaked by group and previously used in non-state incidents such as WannaCry. No alternative perpetrator has been officially proposed by , but denials highlight the absence of publicly disclosed intelligence showing orders, contrasting with technical indicators like from prior Russian-linked . Skeptical analyses of the attribution process question the reliability of private cybersecurity firms and Western intelligence assessments, noting potential biases amid heightened U.S.-Russia tensions during the 2016 election interference probes. Critics argue that while malware signatures and infrastructure traces point to Russian actors, such as the GRU's Sandworm unit, these remain circumstantial without declassified evidence of command authorization, allowing plausible deniability for non-state criminal elements operating from . Russian perspectives frame the accusations as part of a broader pattern of unproven cyber blame games, urging caution against accepting firm-level reports—often from U.S.-based entities with government contracts—as definitive proof of state sponsorship.

Responses and Mitigation

Ukrainian and Victim Responses

Ukrainian organizations, including government agencies and , responded to the June 27, 2017, NotPetya outbreak by isolating infected networks and reverting to manual operations to maintain essential services. Rail operator Ukrzaliznytsia issued paper tickets and processed payments by hand, while power utilities like Kyivoblenergo suspended electronic billing and relied on physical metering. The Chernobyl Plant's monitoring systems were knocked offline, prompting a switch to manual monitoring by staff to ensure continued safety oversight without automated data feeds. International victims implemented rapid operational workarounds and data restoration. Shipping giant , whose global network was crippled within minutes, discovered an uninfected backup server in and used it to rebuild its entire IT infrastructure, including , over 10 days of manual reconfiguration across 45 countries and 600 sites. Pharmaceutical firm Merck halted production at affected facilities, invoked clauses in supply contracts to manage disruptions, and focused on restoring systems from segmented backups while minimizing operational downtime. Microsoft, observing the malware's exploitation of the EternalBlue vulnerability, voluntarily released emergency security updates on July 3, 2017, for end-of-support platforms including , , and , enabling affected users to patch systems and prevent lateral spread despite lacking official support obligations.

International Government Actions

The government publicly attributed the NotPetya campaign to Russia's in a statement on , 2018, describing it as the most destructive and costly in history. The (CISA) issued an alert on the Petya variant, later updated to reflect this attribution and advise on mitigation for . In October 2020, the U.S. Department of Justice indicted six officers from Russia's Unit 74455 for their roles in deploying NotPetya and related destructive , charging them with , hacking, and wire . The attributed the attacks to Russian military intelligence on the same day as the U.S. statement, followed by joint attributions from , , and on February 16, 2018, condemning the operation for risking global economic stability and critical services. NATO officials assessed NotPetya as a potential hybrid threat that could justify retaliatory measures under certain conditions, though the damage did not trigger Article 5 invocation. The condemned the attacks in April 2018 and, in July 2020, imposed its first cyber-specific sanctions regime targeting entities and individuals involved in NotPetya, aiming to deter future malicious activities through asset freezes and travel bans. These actions achieved coordinated international attribution and legal accountability efforts but demonstrated limited deterrence, as Russia persisted with similar cyber operations, including during its 2022 invasion of , suggesting indictments and sanctions failed to alter state-sponsored behavior.

Technical Countermeasures and Recovery

Security researchers at discovered a in the NotPetya on June 27, 2017, revealing that the checks for the existence of a file named perfc.dat in the root of the C: drive before proceeding with ; the presence of this file causes the to halt execution. This mechanism, described as a "" rather than a traditional , allowed administrators to preemptively create the file on vulnerable systems to block infection, though it offered no remediation for already compromised machines. Antivirus vendors rapidly developed and deployed detection signatures following the outbreak's onset on June 27, 2017; for instance, updated its products to identify NotPetya variants, enabling real-time blocking and quarantine of the on protected endpoints. These signatures targeted key indicators such as the 's use of for propagation and its boot record overwriting routines, providing empirical efficacy in halting further spread within segmented environments. Recovery from NotPetya infections proved challenging due to its wiper-like behavior, which encrypted the Master File Table (MFT) and overwrote the (MBR), rendering standard decryption attempts ineffective even upon ransom payment, as no viable private key was implemented. Best practices derived from incident responses prioritized full system wipes followed by restores from verified, offline backups or clean disk images, avoiding partial file recovery tools that risked residual persistence or . To contain lateral propagation observed in the attacks—via SMB vulnerabilities and credential theft—experts recommended strict , isolating critical segments with firewalls and access controls to empirically limit in future incidents. This approach, validated through post-mortem analyses, proved more effective than reliance on endpoint detection alone for mitigating rapid intra-network dissemination.

Long-Term Ramifications

Cybersecurity Lessons

The NotPetya attacks highlighted the imperative for organizations to disable legacy protocols such as SMBv1, which facilitated lateral movement via the exploit targeting the MS17-010 vulnerability. Microsoft released patches for this flaw on March 14, 2017, months before the June 27 outbreak, yet widespread failure to apply them or disable SMBv1 enabled rapid network compromise across unsegmented environments. Security experts emphasized that routine hardening measures, including blocking ports 445, 137, 138, and 139 externally, could have contained propagation even in partially patched systems. A core lesson emerged from the initial infection vector: the compromise of Ukrainian tax software M.E.Doc's update servers, which attackers exploited to deliver payloads disguised as legitimate patches. This breach affected thousands of downstream users, underscoring the need for rigorous vetting of third-party vendors, including integrity checks on update mechanisms and diversified software sourcing to mitigate single points of failure. Organizations must treat vendor ecosystems as extensions of their own , conducting periodic audits and requiring transparency in update signing processes. The attacks also exposed risks inherent in stockpiled zero-day exploits, as NotPetya's use of the NSA-developed —leaked via in April 2017—amplified global damage beyond initial targets. While such leaks prompted accelerated vendor disclosures and patching by firms like for previously undisclosed flaws, they illustrated how nation-state tools, once proliferated, empower non-state or adversarial actors with devastating scalability. This incident reinforced first-principles defenses like and offline backups, independent of patch timelines, to preserve recoverability against wiper-style masquerading as .

Influence on Cyber Policy and Insurance

The NotPetya attacks catalyzed revisions to policies, with insurers introducing or strengthening war exclusions to disclaim coverage for losses stemming from state-sponsored cyber operations. These exclusions, often invoking clauses for "hostile or warlike acts" by governments, were applied in high-profile claims such as Merck's $1.4 billion suit, where carriers denied payouts attributing the incident to Russian actions rather than insurable . Similarly, Mondelez International's over $100 million claim faced denial under analogous provisions, resulting in a 2022 settlement after protracted litigation that exposed interpretive gaps in exclusion language. In response, premiums escalated sharply—global rates increased by 20-50% in 2018-2019—as underwriters recalibrated for systemic risks from destructive , prompting policyholders to seek endorsements for state-attack coverage at higher costs. NotPetya also accelerated policy shifts toward supply chain safeguards, as its spread via compromised Ukrainian tax software updates (M.E.Doc) demonstrated how vendor dependencies amplify attack vectors. The U.S. (CISA) integrated such lessons into post-2017 advisories, prioritizing third-party risk assessments and software bill-of-materials requirements to mitigate propagation risks. In the , the incident informed the 2022 NIS2 Directive, which broadened the original 2016 NIS framework by imposing stricter resilience mandates on essential entities and enhancing cross-border incident coordination to counter cascading disruptions from targeted . From 2021 to 2023, NotPetya featured prominently in regulatory and discussions, fueling arguments for explicit state-attack carve-outs in policies and harmonized international standards for attributing cyber incidents to avoid coverage voids. These debates underscored the need for refined war exclusion wording to balance insurability with geopolitical realities, without classifying hybrid cyber operations as traditional warfare.

Connections to Ongoing Russo-Ukrainian Conflict

The 2017 NotPetya attacks, primarily targeting Ukrainian critical infrastructure such as government agencies, power utilities, and the banking sector, occurred amid the escalating Russo-Ukrainian conflict that began with Russia's annexation of Crimea in 2014 and support for separatists in . Attributed by U.S. and allied intelligence to Russia's unit 74455 (known as Sandworm), the malware's deployment exemplified tactics integrating cyber disruption with conventional military pressure to undermine Ukrainian state functions without full-scale kinetic escalation. This operation disrupted operations at entities like Ukraine's state-owned and Kyiv's metro system on June 27, 2017, aligning with patterns of Russian cyber efforts to erode resilience in contested regions. NotPetya served as a doctrinal precursor to Russia's intensified cyber operations preceding the February 2022 full-scale invasion, where Sandworm again employed destructive tools against Ukrainian targets, including a Viasat satellite network disruption hours before ground incursions on February 24, 2022. Similarities in tactics—such as wiper malware mimicking ransomware for deniability and lateral movement via supply-chain vectors like the M.E.Doc tax software update—echoed in later GRU-linked campaigns, including attempts to sabotage operational technology in Ukrainian energy sectors. These operations normalized cyber tools as extensions of state coercion, with over 90% of documented Russia-Ukraine cyber incidents from 2014 to 2023 initiated by Moscow, often timed to coincide with military maneuvers. Western analyses frame NotPetya as unprovoked aggression amplifying Russia's territorial ambitions, independent of Ukrainian actions, while Russian state media and officials deny direct involvement, portraying broader cyber and military postures as defensive countermeasures to NATO's post-Cold War eastward enlargement, which claims violated informal assurances against expansion. Despite indictments of six officers in for NotPetya-related conspiracy and hacking, no halt in analogous activities followed, indicating cyber disruption's entrenchment as a persistent lever in the conflict's attritional phase.

References

  1. https://www.cisa.gov/news-events/alerts/2017/07/01/petya-ransomware
  2. https://www.crowdstrike.com/en-us/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/
  3. https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
  4. https://www.brookings.edu/articles/how-the-notpetya-attack-is-reshaping-cyber-insurance/
  5. https://www.wired.com/story/white-house-russia-notpetya-attribution/
  6. https://institutdelors.eu/content/uploads/2025/04/PP281_The-cybersecurity-dimension-of-the-war-in-Ukraine_Barichella_EN.pdf
  7. https://www.sipa.columbia.edu/sites/default/files/2022-11/NotPetya%2520Final.pdf
  8. https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/733549/EPRS_BRI%282022%29733549_EN.pdf
  9. https://www.reuters.com/article/technology/white-house-blames-russia-for-reckless-notpetya-cyber-attack-idUSKCN1FZ0PR/
  10. https://stratcomcoe.org/cuploads/pfiles/Nato-Cyber-Report_11-06-2021-4f4ce.pdf
  11. https://www.cisa.gov/news-events/ics-alerts/ir-alert-h-16-056-01
  12. https://digitalcommons.pepperdine.edu/cgi/viewcontent.cgi?article=1216&context=ppr
  13. https://www.welivesecurity.com/2022/06/13/industroyer-cyber-weapon-brought-down-power-grid/
  14. https://www.cisa.gov/news-events/alerts/2017/06/12/crashoverride-malware
  15. https://www.csis.org/analysis/cyber-operations-during-russo-ukrainian-war
  16. https://fsi.stanford.edu/sipr/russian-cyber-operations-against-ukrainian-critical-infrastructure
  17. https://www.sentinelone.com/blog/dissecting-notpetya-so-you-thought-it-was-ransomware/
  18. https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/
  19. https://www.cybereason.com/blog/cybereason-discovers-notpetya-kill-switch
  20. https://www.microsoft.com/en-us/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
  21. https://attack.mitre.org/software/S0368/
  22. https://www.cybereason.com/blog/notpetya-intrusion-vectors-and-propagation
  23. https://www.bleepingcomputer.com/news/security/surprise-notpetya-is-a-cyber-weapon-its-not-ransomware/
  24. https://www.cloudflare.com/learning/security/ransomware/petya-notpetya-ransomware/
  25. https://www.helpnetsecurity.com/2017/06/29/notpetya-decrypt-fail/
  26. https://www.theguardian.com/technology/2017/jul/05/notpetya-ransomware-hackers-ukraine-bitcoin-ransom-wallet-motives
  27. https://www.portnox.com/cybersecurity-101/notpetya-attack/
  28. https://blog.talosintelligence.com/the-medoc-connection/
  29. https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/
  30. https://abcnews.go.com/International/kill-switch-petya-ransomware-attack/story?id=48324556
  31. https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe
  32. https://www.nbcnews.com/news/world/cyberattack-hits-oil-giant-banks-russia-ukraine-n777161
  33. https://www.bbc.com/news/technology-40416611
  34. https://blogs.infoblox.com/security/notpetya-the-ransomware-that-spreads-like-a-worm/
  35. https://www.newyorkfed.org/medialibrary/media/research/staff_reports/sr937.pdf
  36. https://www.tripwire.com/state-of-security/notpetya-timeline-of-a-ransomworm
  37. https://www.bbc.com/future/article/20170704-the-day-a-mysterious-cyber-attack-crippled-ukraine
  38. https://theloop.ecpr.eu/notpetya-ukraine-and-the-limits-of-economic-impact-from-cyber-attacks/
  39. https://bindinghook.com/debunking-notpetyas-cyber-catastrophe-myth/
  40. https://irregularwarfare.org/articles/cyber-attacks-in-perspective-cutting-through-the-hyperbole/
  41. https://cyberranges.com/how-did-notpetya-cost-businesses-over-10-billion-in-damages/
  42. https://doi.org/10.1080/10920277.2022.2034507
  43. https://www.cnbc.com/2017/08/16/maersk-says-notpetya-cyberattack-could-cost-300-million.html
  44. https://www.controleng.com/throwback-attack-how-notpetya-accidentally-took-down-global-shipping-giant-maersk/
  45. https://www.reuters.com/article/business/merck-says-cyber-attack-halted-production-will-hurt-profits-idUSKBN1AD1AO/
  46. https://www.cshub.com/attacks/news/notpetya-costs-merck-fedex-maersk-800m
  47. https://www.science.org/content/blog-post/merck-and-its-ransomware-problems-court
  48. https://www.bbc.com/news/technology-41336086
  49. https://infotransec.com/news/the-impacts-of-notpetya-ransomware-what-you-need-to-know/
  50. https://www.forbes.com/sites/leemathews/2017/08/16/notpetya-ransomware-attack-cost-shipping-giant-maersk-over-200-million/
  51. https://www.verisk.com/siteassets/media/pcs/pcs-cyber-catastrophe-notpetyas-tail.pdf
  52. https://cyberscoop.com/notpetya-ransomware-cost-merck-310-million/
  53. https://www.cybereason.com/blog/blog-notpetyas-fiscal-impact-revised-892-5-million-and-growing
  54. https://cyberscoop.com/telebots-eset-notpetya-ukraine-link/
  55. https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/
  56. https://www.bbc.com/news/uk-politics-43062113
  57. https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html
  58. https://www.justice.gov/archives/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and
  59. https://www.securityweek.com/us-canada-australia-attribute-notpetya-attack-russia/
  60. https://www.dfat.gov.au/sites/default/files/australia-attributes-notpetya-malware-to-russia.pdf
  61. https://www.cfr.org/cyber-operations/notpetya
  62. https://www.reuters.com/article/technology/kremlin-rejects-u-s-accusation-that-russia-is-behind-cyber-attack-idUSKCN1G00TM/
  63. https://fortune.com/2018/02/16/russia-notpetya-cyberattack-damage/
  64. https://www.qil-qdi.org/cyber-attribution-agencies-a-sceptical-view/
  65. https://www.tandfonline.com/doi/full/10.1080/13523260.2019.1677324
  66. https://sosintel.co.uk/case-study-maersks-response-to-notpetya-how-cybersecurity-best-practices-mitigated-a-major-cyberattack/
  67. https://trumpwhitehouse.archives.gov/briefings-statements/statement-press-secretary-25/
  68. https://cyberscoop.com/uk-government-blames-russian-military-infamous-notpetya-cyberattacks/
  69. https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik
  70. https://www.consilium.europa.eu/en/press/press-releases/2020/07/30/eu-imposes-the-first-ever-sanctions-against-cyber-attacks/
  71. https://www.rusi.org/explore-our-research/publications/commentary/eu-tiptoes-cyber-sanctions-regimes
  72. https://www.justsecurity.org/73071/the-latest-gru-indictment-a-failed-exercise-in-deterrence/
  73. https://icds.ee/en/responding-to-the-most-destructive-and-costly-cyberattack-in-history/
  74. https://gallery.logrhythm.com/threat-intelligence-reports/notpetya-technical-analysis-logrhythm-labs-threat-intelligence-report.pdf
  75. https://www.kaspersky.com/blog/new-ransomware-epidemics/17314/
  76. https://www.provendata.com/blog/notpetya-ransomware/
  77. https://www.microsoft.com/en-us/msrc/blog/2017/06/update-on-petya-malware-attacks
  78. https://www.cynet.com/blog/a-technical-analysis-of-notpetya/
  79. https://www.cyberark.com/resources/blog/the-notpetya-global-pandemic-cyberark-labs-analysis
  80. https://www.bitsight.com/blog/petya-notpetya-what-security-diligence-tells-us
  81. https://abnormal.ai/blog/notpetya-lessons
  82. https://www.microsoft.com/en-us/security/blog/2018/02/05/overview-of-petya-a-rapid-cyberattack/
  83. https://www.insurancejournal.com/news/national/2024/01/05/754582.htm
  84. https://www.cybersecuritydive.com/news/merck-settlement-notpetya-insurance/703922/
  85. https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508.pdf
  86. https://www.acigjournal.com/Towards-an-Efficient-and-Coherent-Regulatory-Framework-on-Cybersecurity-in-the-EU%2C184292%2C0%2C2.html
  87. https://www.lw.com/admin/upload/SiteAttachments/War-Exclusion-Developments-in-Cyber-Insurance-Policies.pdf
  88. https://www.marsh.com/content/dam/marsh/Documents/PDF/US-en/NotPetya-Was-Not-Cyber-War-08-2018.pdf
  89. https://mwi.westpoint.edu/from-georgia-to-ukraine-seventeen-years-of-russian-cyber-capabilities-at-war/
  90. https://www.darkreading.com/ics-ot-security/-sandworm-group-is-russia-s-primary-cyber-attack-unit-in-ukraine
  91. https://iir.cz/en/lies-provocations-or-myths-pretexts-nato-and-the-ukraine-crisis
Add your contribution
Related Hubs
User Avatar
No comments yet.