Blog
← Back to Blog
June 28, 2017 cybersecurity

NotPetya: The $10 Billion Cyberattack Disguised as Ransomware

Global network disruption

Yesterday, a massive cyberattack hit organizations worldwide. It started in Ukraine and spread globally within hours. Maersk, the world's largest shipping company. Merck, the pharmaceutical giant. WPP, the advertising conglomerate. FedEx's TNT Express division. Thousands of businesses across 65 countries.

It looks like Petya ransomware. It acts like Petya ransomware. But security researchers are reaching a disturbing conclusion: it's not actually ransomware. It's a cyberweapon designed to destroy data, using a ransomware disguise to misdirect.

What Makes NotPetya Different

It Wasn't Designed to Make Money

Real ransomware operators want to get paid. They make it easy to pay, provide functional decryption tools, and sometimes even offer "customer support." NotPetya's payment mechanism was designed to fail. It used a single email address for payment confirmation, which was immediately shut down by the email provider. There was no way to receive a decryption key, even if you paid.

Security researchers analyzing the code found that NotPetya irreversibly overwrites the Master Boot Record. Even the attackers can't decrypt the data. This isn't ransomware. It's a wiper with a ransom note stapled to it.

It Spread Through a Software Update

NotPetya's initial infection vector wasn't email. It came through a legitimate software update for M.E.Doc, a Ukrainian tax accounting program widely used in Ukraine. The attackers compromised M.E.Doc's update servers and pushed the malware as an official software update. If your organization used M.E.Doc, you were infected automatically.

This is a supply chain attack. You trusted the software vendor. The vendor's update mechanism was compromised. Your trust was weaponized against you.

It Used Everything

Once inside a network, NotPetya used multiple spreading mechanisms: the same EternalBlue SMB exploit as WannaCry, credential harvesting from memory using Mimikatz, Windows Management Instrumentation (WMI), and PsExec for remote execution. Even fully-patched machines could be infected if the worm harvested admin credentials from a vulnerable machine on the same network.

The Damage

NotPetya will ultimately cause an estimated $10 billion in damages worldwide:

  • Maersk: Complete IT system rebuild. 45,000 PCs and 4,000 servers reimaged. Estimated cost: $300 million.
  • Merck: Manufacturing disruption lasting months. Estimated cost: $870 million.
  • FedEx/TNT: Operations disrupted for weeks. Estimated cost: $400 million.
  • Mondelez (Cadbury, Oreo): Manufacturing and distribution disruption. Estimated cost: $188 million.

Lessons for Your Practice

1. Patching alone isn't enough. NotPetya could spread even to patched machines through credential theft. Layered security is essential: patching plus network segmentation plus credential protection plus monitoring.

2. Your vendors are your attack surface. A compromised software update can bypass every defense you have. Evaluate your vendors' security. Ask about their update signing and distribution security.

3. Network segmentation is critical. NotPetya spread because networks were flat. If your PMS server, workstations, and backups are all on the same network segment with shared credentials, one compromised machine can take down everything.

4. Admin credential management matters. Don't use domain admin accounts for daily work. Don't leave admin credentials cached on workstations. Use unique local admin passwords on each machine.

5. Offline backups are your last resort. If everything on your network can be destroyed by a single attack, your recovery depends on backups that the attack can't reach. Offline. Air-gapped. Tested.

WannaCry was a warning shot. NotPetya is a direct hit. The next one is coming. Be ready.