NotPetya destructive wiper

On 27 June 2017, the Russian GRU's Unit 74455 (publicly known as Sandworm) released NotPetya, a destructive wiper disguised as ransomware that became, in dollar terms, the most damaging cyberattack in history. The target was Ukraine; the blast radius reached every multinational with a single Ukrainian subsidiary.

What happened

Sandworm operators compromised the update infrastructure of M.E.Doc, a Ukrainian accounting software vendor whose tax-filing tool was installed on roughly 80% of Ukrainian businesses' workstations. At 10:30 EEST on 27 June — the eve of Ukraine's Constitution Day holiday — a malicious M.E.Doc update pushed a wiper carrying:

• EternalBlue (CVE-2017-0144), the NSA's SMB exploit leaked by Shadow Brokers two months earlier
• Mimikatz-style credential harvesting
• A modified Petya ransomware shell as cover

The payload spread laterally via EternalBlue and credential reuse — and was unstoppably efficient. Maersk's entire global IT estate was destroyed in approximately seven minutes: 4,000 servers and 45,000 workstations went dark in a coordinated wave that propagated faster than any human could respond.

The "ransomware" demand was for $300 in bitcoin, paid to a single hardcoded wallet with no per-victim infrastructure for delivering decryption. Within days Cisco Talos and ESET confirmed that no decryption was possible — the malware's "encryption" was destructive corruption, not a recoverable cipher. It was a wiper masquerading as ransomware, a destructive operation with a smokescreen.

Impact

• A.P. Moller-Maersk: ~$300M direct loss + multi-week shipping disruption affecting roughly 20% of global container capacity. Maersk re-built its entire IT estate from a single surviving domain controller in Ghana that happened to be offline during the wave.
• Merck: ~$870M loss; pharmaceutical manufacturing disrupted for months. Litigated insurance coverage and won — the "act of war" exclusion dispute that followed established important precedent for cyber-insurance.
• FedEx-TNT: ~$400M loss; TNT's European operations effectively rebuilt from scratch.
• Mondelez: ~$100M loss; Cadbury production lines halted. Same insurance dispute as Merck.
• Saint-Gobain: ~€220M loss; French construction-materials operations across Europe paralyzed.
• Reckitt Benckiser, Beiersdorf, Cadbury, Nuance Communications, WPP, Heritage Valley Health System: each reported losses in the tens of millions.
• Total global damage: approximately $10 billion.

Attribution

In February 2018, the U.S., U.K., Australia, Canada, Denmark, Estonia, Lithuania, Norway, Latvia and Finland jointly attributed NotPetya to the Russian military. On 19 October 2020, the U.S. Department of Justice unsealed an indictment of six named GRU Unit 74455 officers — Andrienko, Detistov, Frolov, Kovalev, Ochichenko, and Pliskin — for NotPetya and a string of other Sandworm operations.

Why it matters

NotPetya is the canonical case for cyberattack collateral damage at the global scale. The intended target was Ukraine, but Sandworm's selection of M.E.Doc as the supply-chain vector — knowing it was deeply embedded in any multinational with Ukrainian operations — guaranteed worldwide propagation. The operation also catalysed:

• The "act of war" cyber-insurance litigation (Merck v. ACE et al., Mondelez v. Zurich) that reshaped exclusion clauses for nation-state attacks.
• The 2018 U.S. Cyber Solarium Commission and subsequent SEC disclosure rule changes around material cyber incidents.
• The doctrinal reclassification of wiper-as-ransomware as a distinct technique tracked separately by every major threat-intel program.