For everyone who attended my presentation at DojoCONF Chiriqui, thank you. We discussed the watershed moments that have shaped our industry, and as promised, this post dives deeper into the single most destructive cyberattack in history: NotPetya.
This October, for Cybersecurity Awareness Month, it’s critical to look back. Over eight years ago, the world witnessed an attack that was not just malicious, but deceptive in its very nature. It was a nightmare that stopped being fiction. It wore the mask of ransomware, but its heart was that of a wiper, a digital weapon engineered not for profit, but for pure paralysis and the total loss of data. NotPetya was the moment the theoretical risk of a nation-state cyberattack causing physical damages ultimately estimated at over $10 billion became a terrifying reality.
The Calm Before the Storm
June 27, 2017, began like any other Tuesday. Across Ukraine and in the international offices of multinational corporations, it was a normal day at the office. Employees were filing taxes, managing logistics, and carrying out routine business. There was no warning, no sign of the digital cataclysm that was about to be unleashed. This deceptive calm was the perfect backdrop for an attack designed to cause maximum chaos.
The Initial Infiltration: The Supply Chain Gambit
The genius and horror of NotPetya lay in its delivery method. Unlike typical ransomware that relies on mass-phishing campaigns, NotPetya achieved initial access through a software supply chain attack.
The entry point was M.E.Doc, a popular tax and accounting software widely used by approximately 80% of businesses in Ukraine.
The attackers, a highly sophisticated threat group, compromised M.E.Doc’s update server, embedding the NotPetya malware into a legitimate software update. When M.E.Doc users installed the update, they unknowingly granted the malicious payload the administrative privileges it needed to begin its destructive work. The initial target was Ukraine, but the infection was a time bomb set to explode globally.
Not Ransomware? The Wiper’s True Intent
Although initially labeled as ransomware, it was soon proven that NotPetya functions more as a destructive wiper-like tool rather than actual ransomware. The malware presented itself as Petya ransomware, displaying a ransom note demanding $300 in Bitcoin to restore files. However, security researchers quickly realized the truth: NotPetya was not designed to decrypt.
It was a wiper in disguise. There is new evidence that the analyzed NotPetya binary is a patched variant of the “GoldenEye” Petya variant. The ransom demand was a dead end. The primary purpose of the ransom screen was to mask the destructive intent of the attack and make it appear as a typical cybercrime operation. Even if a victim was willing to pay, the outcome was guaranteed data loss.
The path to recovery was cut off in three decisive ways:
- Contact Failure: The email address provided to victims for sending proof of payment was quickly shut down by the email provider, eliminating the only point of contact.
- Key Destruction: The malware was engineered to destroy its own means of decryption. After it used the randomly generated Salsa20 key to encrypt the Master File Table (MFT), the memory buffer storing this critical encryption key was immediately overwritten and destroyed.
- The Fatal Flaw: The “personal installation key” displayed on the victim’s ransom screen was a random blob of bytes. This random ID had no mathematical relationship to the destroyed Salsa20 key. Consequently, even if the attackers wanted to, they had no mechanism to generate a working decryption key to restore the victim’s data.
The ultimate goal was not financial gain, but destruction, disruption, and total data loss.
Technical Deep Dive: The Triple-Threat Payload
NotPetya was a masterpiece of malware engineering, earning the nickname “ransomworm” because it used three coordinated tactics for maximum damage: Infiltration, Lateral Movement, and Total Destruction.
1 • Execution: Disguise and Privilege Escalation
NotPetya’s first order of business was to look legitimate and secure deep system access. The core malware is a 32-bit Windows DLL with an original file name of perfc.dat. To initiate the attack, it leverages the common Windows utility rundll32.exe to call its internal function by ordinal. This method allows it to hinder analysis efforts and slip past basic signature detection by avoiding the creation of a unique malicious executable.
Upon running, the malware immediately checks for high-level administrative permissions, specifically the Windows privileges: SeShutdownPrivilege, SeDebugPrivilege, and SeTcbPrivilege. These are the digital “keys to the kingdom.” If it obtains these rights, it proceeds with the most aggressive and destructive path for wiping the disk and clearing forensic logs.
2 • Lateral Movement: The Worm’s Network Domination
Once a single computer was infected, NotPetya became an autonomous worm, engineered not to rely on user interaction to spread. It used two primary, highly effective methods to infect every other machine across the network:
- Exploiting Known Vulnerabilities: NotPetya leveraged the notorious Server Message Block (SMB) vulnerability (MS17-010), the same one utilized by WannaCry. This exploit, known as EternalBlue/EternalRomance, allowed the malware to force its way onto any unpatched system across the local network completely autonomously, acting like a digital battering ram.
- Advanced Credential Theft and Relaying: For systems that were patched, NotPetya deployed sophisticated credential-stealing techniques, ensuring the infection could spread to virtually every machine. It contained an embedded, modified version of the open-source tool Mimikatz to harvest passwords from memory. It also used the CredEnumerateW() Windows API to find and save login data specifically used for network shares (SMB credentials). These stolen credentials were then used with legitimate Windows administrative tools like PsExec and WMI to log in and remotely execute the malware on other machines, just as a legitimate IT administrator would. This powerful combination meant a single infected machine could compromise an entire enterprise network.
3 • Destruction: The Digital Wiper
NotPetya’s true intent was guaranteed data destruction. It was a digital wiper designed to dismantle the very foundation of the operating system:
- Direct Disk Access and Core Destruction: The malware’s objective was to destroy the operating system’s boot sequence and file map. It used the Windows API DeviceIoControl to gain direct read/write access to the physical hard drive, bypassing the operating system’s normal security layers. With this deep access, it unmounted volumes and proceeded to overwrite the Master Boot Record (MBR) (the boot sequence code) and encrypt the Master File Table (MFT) (the critical file index) using the Salsa20 cipher. By destroying both the boot code and the file map, it rendered the file system permanently inaccessible.
- Anti-Forensics and Evasion: To actively avoid detection and hamper any subsequent investigation, the malware checked for the presence of three specific antivirus products: Kaspersky, Symantec, and Norton Security. If none were found, it performed anti-forensics by clearing system event logs and deleting the USN journal (the system’s change history) to effectively cover its tracks. Interestingly, if Kaspersky was detected, the malware took an alternate, less destructive path, skipping both the anti-forensics steps and the function that overwrites the initial sectors of the physical drive, a clear tactic intended to avoid deep-level analysis from that specific security vendor.
4 • The Single Oversight: The Broken ‘Vaccine’ Flaw
Analysts later discovered a potential “vaccine” mechanism. If the malware found a file named perfc or perfc.dat in the C:\Windows folder upon execution, it would terminate itself before carrying out the destructive actions, essentially preventing the infection.
Attribution: The Sandworm Connection
In the years following the attack, multiple governments, including the United States, United Kingdom, Canada, and Australia, formally attributed the NotPetya attack to the Russian military intelligence (GRU).
The attack was specifically carried out by the Russian GRU-affiliated threat group known as Sandworm (also tracked as APT44 or Voodoo Bear).
NotPetya was not a cybercrime but a devastating act of state-sponsored cyber warfare targeting Ukraine’s critical infrastructure, timed to coincide with the country’s Constitution Day.
The Sandworm group is notorious for some of the most consequential cyberattacks in history, including the first-ever successful cyberattacks to cause power blackouts in Ukraine (2015 and 2016) and the Olympic Destroyer attack against the 2018 Pyeongchang Winter Olympics.
The Global Blackout: Maersk and the Domino Effect
The attack quickly spilled far beyond Ukraine’s borders, demonstrating the terrifying interconnectedness of the global economy.
The most famous and perhaps most devastating victim was A.P. Moller-Maersk, the world’s largest container shipping company. NotPetya spread through Maersk’s global network, reaching every corner of its operations.
Within hours, the company’s entire network was shut down. Computers in 76 ports across the globe went dark, terminals froze, and the company was forced to operate on manual processes and personal email accounts. The company’s total financial loss from the NotPetya attack was estimated to be between $200 and $300 million.
Maersk’s catastrophe was a wake-up call to the world, revealing that a cyberattack could have a physical, global impact on commerce and critical infrastructure.
More Global Victims
While Ukraine was the primary target, NotPetya’s worm-like capabilities caused a global catastrophe, affecting multinational corporations in over 65 countries across various sectors, leading to widespread operational disruption.
- Merck & Co. (Pharmaceuticals): The American pharmaceutical giant suffered significant disruption, reporting a colossal loss estimated at around $870 million.
- FedEx/TNT Express (Logistics): The FedEx subsidiary, TNT Express, had to shut down major parts of its systems, incurring hundreds of millions in losses.
- Mondelez International (Food & Beverage): The American company responsible for brands like Oreo and Cadbury suffered significant financial damages.
- DLA Piper, Saint-Gobain, Beiersdorf, Rosneft: A global law firm, a French construction materials company, a German personal care manufacturer, and even Russia’s largest oil producer were all affected, demonstrating the attack’s indiscriminate nature once it left the initial target.
- Healthcare and Critical Infrastructure: The attack compromised the radiation monitoring system at the Chernobyl Nuclear Power Plant, forcing a brief period of manual monitoring. Furthermore, a US hospital network, Heritage Valley Health System, was hit, impairing their provision of critical medical services by making patient lists and history unavailable.
Lessons from the Aftermath
The NotPetya attack delivered brutal, expensive, and unforgettable lessons for the cybersecurity world. The defenses that failed in 2017 are now the standards we must uphold.
- Patching is Non-Negotiable: Closing the Digital Window
NotPetya was able to spread so rapidly because it leveraged a critical, well-known vulnerability in the Server Message Block (SMB) protocol: the EternalBlue exploit. Although Microsoft had released a patch (MS17-010) months prior to the attack, many organizations had not yet applied it. The code still contains the ability to spread by the EternalBlue/EternalRomance SMBv1 exploits, so patching is still imperative.
- Backups as Resilience: The Last Line of Defense
When your primary systems are wiped, your backup strategy becomes your only hope of survival. Maersk, along with other major victims, spent weeks rebuilding their global infrastructure from backups. The pain point was not the encryption itself, but the lack of an instantly usable and isolated backup that could restore operations in a timely manner.
Implement the 3-2-1 Rule (3 copies of data, 2 different media types, 1 copy off-site) and ensure your backups are immutable or segmented in such a way that the malware cannot reach and encrypt them.
- Network Segmentation: Stop the Spread
NotPetya’s success lay in its ability to jump from one machine to another laterally across the network using stolen credentials and the EternalBlue exploit.
By dividing your network into smaller, isolated zones and applying specific security policies to each, you can contain a breach. An infection might take down one segment, but it won’t be able to spread and cause a global catastrophe.
- Internal Evaluation: Find Flaws Before They Do
You cannot defend against weaknesses you don’t know you have. Periodic internal audits and penetration testing are crucial for a proactive defense. These evaluations simulate real-world attacks, allowing your organization to discover and correct security flaws before malicious actors can exploit them.
- Training: The Human Firewall
Technology alone is not enough. The M.E.Doc infiltration started with a phishing email. Continuous training for all personnel is essential to build a security-conscious culture. When employees are aware of modern threats and know how to recognize them, they become a powerful line of defense.
As we continue through Cybersecurity Awareness Month, let NotPetya be more than just a case study. Let it be a reminder of the stakes we play for. It was a geopolitical act of aggression disguised as cybercrime, proving that a few lines of code can bring global commerce to its knees. The principles it taught us, resilience through backups, vigilance in updates, containment via segmentation, and awareness through training, are not just best practices; they are the essential defenses for our modern world.