On June 27, 2017, malware began spreading from compromised tax software in Ukraine. Within hours, it had paralyzed hospitals, ports, and corporations across 64 countries. NotPetya masqueraded as ransomware demanding $300 in Bitcoin, but its encryption was irreversible—designed not to extort, but to destroy. The US, UK, Australia, Canada, and the European Union formally attributed the attack to Russian military intelligence unit Sandworm. Total economic damage exceeded $10 billion, making NotPetya the most destructive cyberattack in history.
At approximately 10:30 AM local time on June 27, 2017, computers across Ukraine began displaying ransom messages. The screens showed a red-on-black demand: $300 in Bitcoin to restore encrypted files, with payment verification instructions directing victims to email [email protected]. Within the first hour, thousands of Ukrainian organizations found their systems locked. Banks, government agencies, the Kyiv Metro, Boryspil International Airport, and businesses large and small faced the same screens.
The infection vector was M.E.Doc, Ukrainian tax accounting software used by approximately 400,000 individuals and organizations—virtually every company operating in Ukraine. The software was required for tax filing with Ukrainian authorities, ensuring near-universal adoption. That morning, M.E.Doc's update servers pushed what appeared to be a routine software update. The update was digitally signed with M.E.Doc's legitimate certificate, so client software trusted and automatically installed it.
The update contained malware that would become known as NotPetya. Within minutes of installation, it began spreading laterally through local networks and to connected systems. It exploited multiple propagation mechanisms: the EternalBlue exploit targeting a Windows SMB protocol vulnerability, credential harvesting using the Mimikatz tool to extract passwords from system memory, and PsExec for remote execution on other machines. This combination of techniques allowed it to move through corporate networks with extraordinary speed.
Maersk, the world's largest container shipping company, had a single accounting system in Ukraine. NotPetya entered through that system and spread to Maersk's global network within seven minutes. The malware encrypted or destroyed data on approximately 49,000 laptops, 3,500 servers, and 2,000 applications across 600 sites in 130 countries. Maersk terminals at 76 ports worldwide could no longer process cargo. The company that handled nearly one-fifth of global container shipping was paralyzed.
Merck, the American pharmaceutical giant, lost functionality on approximately 30,000 computers and 7,500 servers. Production of vaccines including Gardasil stopped. FedEx's TNT Express subsidiary in Europe found its delivery network disabled. Nuance Communications, which provides medical transcription and diagnostic imaging services to hospitals, could no longer serve healthcare customers. Mondelēz International's factories stopped producing Oreos and Cadbury chocolate. The law firm DLA Piper, the advertising agency WPP, the French construction materials company Saint-Gobain, and the British consumer goods company Reckitt Benckiser all reported significant disruptions.
By the end of June 27, it was clear that this was not a typical ransomware outbreak. The geographic concentration in Ukraine, the scale of destruction, and the sophistication of the initial compromise suggested something different. Within 24 hours, cybersecurity researchers would confirm what many suspected: this was not ransomware at all.
Ransomware is a criminal business model. Attackers encrypt victims' files and provide decryption keys upon payment. The model only works if decryption is actually possible—otherwise, word spreads that paying is futile, and the revenue stream ends. Effective ransomware operations maintain customer service operations to ensure paying victims receive working decryption keys, protecting the criminals' reputation and future revenue.
NotPetya looked like ransomware but was not designed as ransomware. Cisco Talos researchers Craig Williams and Martin Lee published analysis on June 28, 2017, explaining why. NotPetya encrypted the Master File Table (MFT)—the index that tells Windows where files are located on disk—and replaced the Master Boot Record (MBR), the code that initiates the operating system loading process. The encryption used a randomly generated key that was not recoverable. The malware's code included no mechanism to actually decrypt the MFT even if a ransom was paid. Recovery was technically impossible.
"This is a wiper, not ransomware. The destructive nature and technical implementation indicate this was designed to destroy data, not generate revenue through extortion."
Craig Williams and Martin Lee — Cisco Talos Intelligence, June 2017The ransom payment mechanism itself was non-functional. The email address provided for payment verification—[email protected]—was shut down by the German email provider Posteo within hours of the attack, making payment verification impossible. Even victims who paid immediately in the attack's first hours had no way to prove payment or receive decryption keys. By the time researchers tallied the Bitcoin payments, approximately $10,000 had been sent to the provided wallet address across roughly 30 payments. For malware that caused $10 billion in global damage, collecting $10,000 was not the objective.
The malware was designed to masquerade as ransomware while actually functioning as a wiper—malware designed to destroy data rather than enable extortion. The ransomware appearance provided cover, creating initial confusion about attribution and motive. If the attack looked like criminal ransomware, it might not be immediately recognized as state-sponsored warfare.
ESET researcher Anton Cherepanov identified M.E.Doc as the infection vector on June 28, 2017, based on telemetry data from ESET's antivirus customers in Ukraine. The data showed M.E.Doc processes initiating malware execution. Cherepanov's further investigation revealed that the M.E.Doc infrastructure had been compromised months earlier, in October 2016, with attackers deploying reconnaissance malware and maintaining persistent access to the update servers.
Ukrainian police raided M.E.Doc developer Intellect Service's offices on July 4, 2017, seizing servers and equipment. The company initially denied the compromise, but forensic evidence was conclusive. The sophistication of the long-term infrastructure compromise, the development of custom malware, and the strategic timing pointed to a well-resourced attacker, not a criminal group.
Researchers began connecting NotPetya to previous attacks. The code contained similarities to BlackEnergy and Industroyer, malware families used in the December 2015 and December 2016 attacks on Ukrainian electrical infrastructure. Those attacks, which caused power outages affecting hundreds of thousands of civilians, had been attributed to a threat actor known as Sandworm Team, also called Telebots and Voodoo Bear.
Sandworm had been tracked since at least 2009, with operations consistently targeting Ukrainian interests and occasionally Western organizations. The group used custom malware, sophisticated social engineering, and long-term infrastructure compromises. Intelligence agencies in multiple countries had linked Sandworm to Unit 74455 of Russia's GRU military intelligence service, though public attribution was typically avoided for diplomatic reasons.
NotPetya changed the attribution calculus. The attack's scale, the damage inflicted on Western companies, and the risk of escalation prompted governments to formally attribute the attack despite the usual preference for ambiguity in cyber operations.
On February 15, 2018, the White House issued a statement: "In June 2017, the Russian military launched the most destructive and costly cyberattack in history." The statement explicitly named NotPetya and described it as part of the Kremlin's effort to destabilize Ukraine. White House Press Secretary Sarah Sanders stated it would "be met with international consequences."
The attribution was coordinated. The UK's National Cyber Security Centre issued a statement the same day declaring that "the Russian military was almost certainly responsible." Australia, Canada, and the European Union issued similar statements. The coordinated attribution represented an unusual step—governments rarely publicly attribute cyberattacks to specific nation-states, particularly major powers, due to concerns about escalation and the need to protect intelligence sources and methods.
"No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite."
John Demers, US Assistant Attorney General — Department of Justice, October 2020In October 2020, the US Department of Justice indicted six officers of the GRU's Unit 74455. The indictment charged Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin with conspiracy to conduct computer fraud and abuse, wire fraud, and aggravated identity theft. The charges covered NotPetya, attacks on the 2018 PyeongChang Winter Olympics, the 2017 French elections, and investigations into the nerve agent poisoning of Sergei Skripal in the UK.
The indicted individuals remain in Russia, which does not extradite its citizens. The indictments are largely symbolic, but they publicly document the US government's evidence and serve as a formal accusation of state-sponsored cyberwarfare.
NotPetya's rapid global spread was enabled by EternalBlue, an exploit developed by the US National Security Agency and leaked in April 2017 by a hacking group calling itself Shadow Brokers. EternalBlue exploited a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol used for file sharing and network communication in Windows.
The NSA had discovered the vulnerability and developed EternalBlue as a tool for intelligence operations, allowing remote code execution on vulnerable Windows systems. The agency did not disclose the vulnerability to Microsoft for patching, instead retaining it as part of its offensive cyber toolkit—a practice governed by the Vulnerabilities Equities Process, which weighs the intelligence value of exploits against the security risk to American systems if those exploits leak or are independently discovered by adversaries.
In early 2017, the NSA apparently concluded that the Shadow Brokers group had obtained or might soon release EternalBlue. Microsoft released security update MS17-010 on March 14, 2017, patching the SMB vulnerability. The company did not publicly explain why the patch was being issued on an emergency basis outside the normal monthly security update cycle. Shadow Brokers publicly released EternalBlue and other NSA tools on April 14, 2017.
Organizations had more than three months to apply the patch before NotPetya was deployed on June 27. Many did not. Patching enterprise systems requires testing, change management processes, and coordination—it cannot typically happen immediately. Some organizations run older operating systems no longer supported by Microsoft and thus did not receive patches. Some deliberately delay patches to avoid breaking critical applications. The result was that millions of systems remained vulnerable.
The WannaCry ransomware attack in May 2017—five weeks before NotPetya—also used EternalBlue and spread globally, infecting more than 200,000 computers across 150 countries and disrupting UK National Health Service operations. WannaCry prompted additional warnings about the importance of applying the MS17-010 patch, but many systems remained unpatched.
Microsoft President Brad Smith wrote in a blog post following WannaCry: "The governments of the world should treat this attack as a wake-up call. This attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today—nation-state action and organized criminal action." Smith compared the Shadow Brokers leak to "the US military having some of its Tomahawk missiles stolen."
The debate over the NSA's vulnerability stockpiling intensified after NotPetya. Intelligence agencies argue that cyber tools are necessary for national security operations—gathering intelligence, disrupting adversaries, and attributing attacks. Security researchers and technology companies argue that undisclosed vulnerabilities put everyone at risk, particularly when those vulnerabilities inevitably leak and are weaponized by adversaries. NotPetya demonstrated that leaked intelligence tools could enable attacks causing billions in economic damage.
Quantifying the total economic impact of NotPetya is difficult because many affected companies did not publicly disclose their losses, but available data indicates damages exceeding $10 billion globally.
These seven companies alone disclosed approximately $2.3 billion in losses, and they represent a fraction of affected organizations. Thousands of companies experienced disruptions but did not publicly quantify their losses. The Ukrainian government estimated that the attack cost Ukrainian organizations hundreds of millions of dollars, but did not provide a precise figure. Small and medium businesses affected by the attack typically lack the resources for comprehensive damage accounting and often do not disclose impacts publicly.
For Maersk, the damage extended beyond the immediate $300 million in lost revenue and recovery costs. The company had to physically reinstall operating systems on 4,000 servers and 45,000 PCs. Every application had to be reinstalled and reconfigured. Maersk employed its entire global IT staff continuously for ten days, working around the clock. The company was only able to restore operations because a single domain controller—a server containing the Active Directory database that manages network authentication—in Ghana was offline during the attack due to a power outage, preserving a backup copy of the authentication database. Without that accidental backup, Maersk's entire IT infrastructure would have been permanently destroyed.
Merck's disruptions affected vaccine production. The company experienced shortages of Gardasil, its HPV vaccine, in the US market throughout late 2017 and into 2018. Production delays cascaded through pharmaceutical supply chains and distribution networks. The $870 million disclosed loss represented lost sales, production downtime, and IT recovery costs, but did not account for longer-term impacts on customer relationships, market share, or public health outcomes from vaccine shortages.
FedEx's TNT Express subsidiary lost business volume permanently. Customers whose shipments were stranded or delayed during the outage switched to competitors. The extended restoration period—several weeks before systems were fully functional—damaged TNT's market position in Europe. FedEx's planned integration of TNT systems into the broader FedEx network was delayed by years.
The economic damage from NotPetya triggered a legal question that remains unresolved: Does cyber insurance cover state-sponsored attacks that governments classify as acts of war?
Mondelēz International filed insurance claims for approximately $100 million in losses under property insurance policies that included cyber coverage. In 2018, Zurich American Insurance Company denied the claim, citing the policy's "hostile or warlike action" exclusion clause. Zurich pointed to the White House, UK, and EU statements attributing NotPetya to the Russian military, arguing that the attack constituted an act of war explicitly excluded from coverage.
Mondelēz sued Zurich in Illinois state court in October 2018. The company argued that war exclusion clauses were written to address kinetic military conflicts between nation-states, not cyberattacks, and that interpreting them to exclude state-sponsored hacking would effectively eliminate cyber coverage for most serious attacks, since sophisticated attacks are often state-sponsored. Mondelēz contended that it had purchased and paid for cyber coverage specifically to protect against such incidents.
Zurich countered that government attribution to Russian military intelligence clearly established the attack as a warlike action by a nation-state, precisely the scenario the war exclusion was designed to exclude. The insurer argued that allowing claims for acts of war would expose insurance companies to unlimited losses from geopolitical conflicts, fundamentally undermining insurance risk modeling.
The case settled confidentially in October 2022, before reaching final judicial determination. Neither party disclosed the settlement terms. The lack of a judicial decision left the underlying legal question unresolved.
"If war exclusions apply to cyberattacks attributed to foreign militaries, then cyber insurance coverage is effectively illusory for the most serious threats that companies face."
Mondelēz legal brief — Circuit Court of Cook County, Illinois, 2018Merck faced a similar situation. The company's insurers denied a $1.4 billion claim, invoking war exclusions based on the NotPetya attribution to Russian military. Merck sued its insurers in New Jersey Superior Court. In January 2022, Judge Thomas Betancourt ruled partially in Merck's favor, finding that standard war exclusion language referencing "hostile or warlike action in time of peace or war" did not unambiguously exclude cyberattacks. The judge noted that the exclusions were drafted for physical warfare scenarios and that applying them to cyber operations required clearer language explicitly addressing cyber incidents. Judge Betancourt ordered insurers to pay Merck's claims, though the exact settlement details were not disclosed.
The Merck decision established precedent, at least in New Jersey, that traditional war exclusions do not clearly exclude state-sponsored cyberattacks. However, insurance companies have responded by drafting new exclusion language explicitly addressing cyber warfare. Many cyber insurance policies now include specific exclusions for attacks attributed to nation-states or categorized as acts of war, cyber warfare, or cyber terrorism.
The evolution of these exclusions creates a paradox: companies purchase cyber insurance to protect against sophisticated attacks, but sophisticated attacks are often state-sponsored, and state-sponsored attacks are increasingly excluded from coverage. The insurance industry's position is that acts of war constitute uninsurable risks because they are unpredictable, potentially unlimited, and correlated—a single attack can cause claims from thousands of policyholders simultaneously. Companies' position is that if cyber insurance excludes state-sponsored attacks, the coverage excludes precisely the most severe threats organizations face.
NotPetya occurred during an ongoing conflict between Russia and Ukraine that began with Russia's 2014 annexation of Crimea and support for separatists in eastern Ukraine. The cyberattack was part of a broader hybrid warfare campaign combining military operations, disinformation, economic pressure, and cyber operations.
Ukraine had been subject to sustained cyberattacks since 2014. In December 2015, attackers later identified as Sandworm compromised Ukrainian power distribution companies and caused blackouts affecting approximately 225,000 customers. In December 2016, a similar attack targeted Kyiv's power infrastructure using Industroyer malware designed specifically to interact with industrial control systems in electrical substations. Ukrainian banks, media companies, and government agencies experienced repeated compromises. The cyber campaign aimed to destabilize Ukrainian society, undermine confidence in institutions, and demonstrate Russia's capabilities and Ukraine's vulnerabilities.
NotPetya fit this pattern. The use of M.E.Doc software—required for Ukrainian tax compliance—ensured maximum penetration within Ukraine. Approximately 80% of initial NotPetya infections occurred in Ukrainian organizations. The attack targeted Ukrainian critical infrastructure, businesses, and government systems simultaneously.
The global spread appears to have been collateral damage, though not unforeseeable collateral damage. The attackers would have known that M.E.Doc was used by multinational corporations with operations in Ukraine, including Maersk, Merck, and many others. When NotPetya infected those companies' Ukrainian systems, it spread through their global networks. The attackers either accepted this global spread as acceptable collateral damage or intended it as a demonstration of capability and willingness to cause widespread destruction.
The scale of damage to Western companies may have been surprising even to the attackers. A malware deployment intended to paralyze Ukraine for days or weeks instead caused $10 billion in global damage and prompted unprecedented public attribution and indictments. The response indicated that NotPetya crossed a threshold—the international community treated it as an act of aggression warranting diplomatic consequences, even if those consequences were largely symbolic.
Russia has consistently denied responsibility for NotPetya and other cyberattacks attributed to it by Western governments. Russian officials characterize the attributions as politically motivated and unsupported by public evidence. The Kremlin has stated that Russia does not conduct offensive cyber operations and that any such activity by Russian citizens occurs without government knowledge or authorization.
Western intelligence agencies do not publicly release the detailed evidence underlying their attribution assessments, citing the need to protect sources and methods. The available evidence is technical—code analysis, infrastructure overlaps with previous operations, targeting patterns—combined with signals intelligence and human intelligence that governments do not disclose. Independent cybersecurity researchers have reached the same attribution conclusions based solely on technical evidence, lending credibility to the government assessments.
NotPetya demonstrated that cyberattacks can cause economic damage rivaling kinetic military strikes. The $10 billion in losses exceeded the cost of many conventional military operations. The attack disrupted global supply chains, pharmaceutical production, shipping logistics, and critical infrastructure without firing a shot or destroying physical infrastructure. The digital destruction created real-world consequences across multiple sectors and countries.
The attack also demonstrated the inadequacy of existing legal and policy frameworks. International humanitarian law and the laws of armed conflict do not clearly address cyberattacks. The United Nations and other international bodies have debated cyber norms, but no binding international treaty governs state behavior in cyberspace. Attribution is difficult, consequences are limited, and deterrence is uncertain.
Companies affected by NotPetya implemented significant cybersecurity improvements, but structural vulnerabilities remain. Organizations still rely on complex software supply chains vulnerable to compromise. Patching remains inconsistent. Network segmentation is often inadequate to prevent lateral movement. The same techniques NotPetya used—exploiting software vulnerabilities, harvesting credentials, moving laterally through networks—remain effective in subsequent attacks.
The debate over the NSA's vulnerability stockpiling continues. Intelligence agencies maintain that cyber tools are essential for national security, counterterrorism, and strategic intelligence collection. Critics argue that stockpiling vulnerabilities leaves everyone less secure, particularly when those tools leak and enable attacks like NotPetya. The Vulnerabilities Equities Process remains opaque, and the criteria for deciding whether to disclose or retain vulnerabilities are classified.
Five years after NotPetya, Russia launched a full-scale military invasion of Ukraine in February 2022. The invasion was accompanied by cyberattacks targeting Ukrainian government systems, media organizations, and critical infrastructure. Sandworm and other Russian cyber units deployed wiper malware against Ukrainian targets. The cyber operations during the 2022 invasion demonstrated lessons learned from NotPetya—the attacks were more targeted, with less risk of uncontrolled global spread, though still destructive within Ukraine.
NotPetya established that cyberattacks could be weapons of war causing strategic-level damage. The question of how to deter such attacks, hold attackers accountable, and protect critical infrastructure and economic systems remains unresolved. Attribution is more common than it was before NotPetya, but consequences remain limited to sanctions, indictments, and diplomatic statements—none of which prevented subsequent attacks. The economic and insurance implications continue to evolve as companies, insurers, and policymakers grapple with the reality that state-sponsored cyberattacks are a persistent threat with potentially catastrophic costs.