What is NotPetya?

NotPetya is a destructive malware variant that appeared in June 2017, initially targeting Ukraine before spreading globally. It masquerades as ransomware but was built primarily to destroy data rather than generate ransom payments. Even when victims paid, recovery was effectively impossible because NotPetya's encryption routine does not preserve the information needed for decryption.

The US, UK, and allied governments attributed the attack to Sandworm, a hacking group operating within Russia's GRU military intelligence agency. Total global damages exceeded $10 billion.

How NotPetya works

1. Initial infection: NotPetya reaches target systems through phishing emails or compromised software updates. In the 2017 outbreak, the suspected entry point was M.E.Doc, a widely used Ukrainian tax preparation application, through its update mechanism.

2. Network propagation: Once inside a network, NotPetya spreads using EternalBlue, an exploit targeting a vulnerability in Windows' Server Message Block (SMB) protocol believed to have been developed by the NSA. It also uses PsExec, WMI, and EternalRomance to move laterally across other systems on the same network.

3. MBR infection: NotPetya overwrites the master boot record (MBR), the component responsible for starting the operating system, giving the malware control over the entire system before Windows loads.

4. Encryption: NotPetya encrypts the Master File Table of the NTFS file system using a key generated from a random string and the victim's machine ID. This prevents Windows from accessing files or booting normally.

5. Ransom display: A ransom message appears demanding Bitcoin payment, but the encryption is intentionally irreversible. No decryption key is stored, so payment produces nothing.

Who was affected?

Ukraine accounted for roughly 80% of infections, with government agencies, banks, energy providers, transportation networks, and infrastructure all hit. The radiation monitoring system at the Chernobyl Nuclear Power Plant went offline temporarily. The attack spread well beyond Ukraine's borders, hitting major multinational organizations across multiple sectors:

• Maersk, the world's largest container shipping company, estimated losses of $200 million to $300 million and had to reinstall approximately 45,000 PCs and 4,000 servers.

• Merck reported damages of around $870 million after manufacturing and operations were disrupted.

• Mondelez International suffered significant losses and later became the center of a landmark insurance dispute.

• FedEx subsidiary TNT Express reported losses exceeding $400 million.

• Saint-Gobain, WPP, Rosneft, Beiersdorf, DLA Piper, and DHL all experienced operational disruptions across multiple countries.

Impact beyond the immediate damage

• Economic: Global damages surpassed $10 billion, with individual company losses ranging from tens of millions to nearly a billion dollars each.

• Operational: Supply chains across shipping, pharmaceuticals, oil and gas, manufacturing, and logistics faced cascading disruptions as infected organizations lost communication and system access for days or weeks.

• Insurance: Mondelez filed a claim with insurer Zurich, which denied coverage by classifying NotPetya as a act of war. The resulting legal dispute reshaped how the insurance industry approaches cyber coverage and government-attributed attacks.

• Geopolitical: Attribution to the GRU's Sandworm unit intensified tensions between Russia and Western governments and accelerated policy discussions around state-sponsored cyber operations.

• Regulatory: The scale of the attack pushed policymakers toward clearer frameworks for cyber insurance, critical infrastructure protection, and government support for private sector attack victims.

How to protect against NotPetya

• Patch immediately: Microsoft released a patch for the EternalBlue SMB vulnerability (MS17-010) in March 2017, three months before the NotPetya outbreak. Organizations that had not applied it were fully exposed. Keeping operating systems and software current closes the most commonly exploited entry points.

• Segment networks: Isolating critical systems from general network traffic limits lateral movement. NotPetya spread so rapidly because flat networks gave it unobstructed access across entire organizations.

• Maintain offline backups: Backups connected to the primary network are vulnerable to the same encryption. Air-gapped or offsite backups are the only reliable recovery option against destructive malware.

• Restrict administrative privileges: Limiting which accounts hold elevated permissions reduces how far malware can propagate even after gaining an initial foothold.

• Disable unnecessary protocols: Disabling SMBv1 and restricting SMB access to only systems that require it removes the primary propagation vector NotPetya exploited.

• Deploy email and endpoint security: Filtering malicious attachments and enabling real-time endpoint scanning reduces the likelihood of initial infection through phishing.

• NotPetya-specific mitigation: Creating read-only files named "perfc" and "perfc.dat" in the Windows installation directory can prevent NotPetya's payload from executing, as the malware checks for these files before proceeding.

• Train employees: Phishing and compromised update mechanisms were the initial delivery methods. Employees who recognize suspicious emails and report anomalies limit the window between infection and detection.