On June 27, 2017, at approximately 10:30 UTC, computers across Ukraine began to display a black screen with red text demanding 300 USD in Bitcoin. Within two hours, the same screen was showing in Copenhagen on Maersk's shipping terminals, in Merck's manufacturing plants in Pennsylvania, in Mondelez's Cadbury facilities in Birmingham, and in 7,000 workstations at Reckitt Benckiser. The White House later put the total damage at more than 10 billion USD. It is the most expensive cyber incident in recorded history.
It arrived through an accounting program's auto-update.
The carrier: M.E.Doc
M.E.Doc, produced by the small Ukrainian firm Intellect Service (Linkos Group), is tax accounting software. It is roughly the Ukrainian equivalent of TurboTax plus QuickBooks, mandatory for any company filing with Ukrainian tax authorities. It ran on an estimated 80 percent of Ukrainian enterprises in 2017. Including foreign subsidiaries of multinationals, which is how Maersk, Merck, and FedEx's TNT unit ended up on fire that Tuesday.
M.E.Doc included an auto-update mechanism called ezvit.exe, which pulled signed update packages from Intellect Service's infrastructure. That mechanism had been compromised since at least April 2017. Three malicious M.E.Doc updates were pushed before June 27: on April 14, on May 15, and on June 22. The first two delivered reconnaissance tools. The third, delivered five days before NotPetya launched, contained the NotPetya loader.
The payload
The NotPetya binary did four things:
- Credential harvesting. It ran a bundled, modified Mimikatz to pull credentials from LSASS.
- Network propagation. It used three mechanisms in parallel: EternalBlue (CVE-2017-0144, the same SMBv1 bug WannaCry had used six weeks earlier), EternalRomance (CVE-2017-0145), and PsExec with the harvested credentials over SMB.
- Disk destruction. It overwrote the Master Boot Record and, on machines it had admin on, encrypted the Master File Table of NTFS volumes. Then it displayed a ransom note.
- The lie. The ransom note asked for 300 USD in Bitcoin to a single address, and an email to a single ProtonMail address. Both were useless. The encryption was not recoverable. The installation ID the note asked victims to send was cryptographically random garbage. There was no decryption key, and there was no one behind the address.
That last point is what separated NotPetya from ransomware. Ransomware is a business. It has customer service. It has working decryption because the attacker wants the next victim to pay. NotPetya had none of those things. It was a wiper disguised as ransomware, intended to look criminal while acting strategic.
What broke, concretely
Maersk, the world's largest container shipping company, lost 49,000 laptops and 4,000 servers in a span of roughly 90 minutes. Every domain controller in the company, except one in Ghana that happened to have a power outage at the moment the attack hit, was encrypted. That one Ghanaian DC was flown physically to London so its backups could be used to rebuild the Active Directory forest. Total damage at Maersk was later reported at 250 to 300 million USD.
Merck reported 870 million USD in impact, including lost vaccine production for the 2017 flu season. Reckitt Benckiser: 129 million. Mondelez: 188 million, later the subject of a Zurich Insurance lawsuit that hinged on whether the attack was an act of war and therefore uncovered. (The 2022 settlement was confidential; the war-exclusion question reshaped cyber insurance.)
TNT Express, FedEx's European subsidiary, lost 300 million USD and never fully recovered operationally. Saint-Gobain, the French construction materials firm, lost 384 million USD. A hospital system in Pennsylvania cancelled surgeries. Chernobyl's radiation monitoring station had to switch to manual measurement because its Windows workstations were down.
Nobody paid the ransom to decrypt. Some victims paid anyway out of desperation and got nothing back, which was consistent with the payload's true intent.
Attribution, with the caveats
On February 15, 2018, the U.S. White House, the U.K. National Cyber Security Centre, and the governments of Denmark, Estonia, Lithuania, Canada, and Australia formally attributed NotPetya to the Russian military intelligence agency GRU, specifically to Unit 74455, also known as Sandworm.
The October 2020 U.S. Department of Justice indictment of six GRU officers named NotPetya explicitly. The same group is tied to the 2015 and 2016 Ukrainian power grid attacks, the 2018 Olympic Destroyer attack against the Pyeongchang Winter Games, and later operations.
The choice of M.E.Doc as the delivery vehicle was deliberate. It guaranteed Ukrainian enterprise impact. The side-effects against multinationals were an acceptable cost, or possibly a feature.
The supply chain mechanics
Intellect Service was a small company. The specific failures at its infrastructure that enabled the compromise, per the Ukrainian Cyber Police investigation released in July 2017:
- The build and update-signing servers used a shared service account with a weak password, reportedly reused across multiple systems.
- There was no out-of-band verification of update contents. The signing process was automated and the signing key was available to the same credentials that could modify the update payload.
- Logging was minimal. The intrusion went undetected for at least six weeks.
- The software's auto-update mechanism ran as SYSTEM on client machines and had no user interaction requirement. That is standard for enterprise software, but it made the blast radius total.
Any of those controls, if inverted, might have slowed the attack. None of them individually would have stopped a determined state-aligned actor, but the combination produced an environment where one foothold at Intellect Service produced enterprise compromise at Maersk.
The lessons we were forced to learn
Auto-update is a supply chain trust relationship. NotPetya reframed auto-update mechanisms as persistent, SYSTEM-level, unauthenticated remote code execution channels held open by the vendor. Every enterprise-deployed application with an auto-updater is that channel. The response in 2017 and after was to demand vendor transparency about their update signing processes, not just their update content.
EternalBlue still mattered. WannaCry had forced patches in May 2017. Six weeks later, NotPetya showed that patch adoption was nowhere near complete even inside large multinationals. Network segmentation and SMB deprecation lagged even further.
Backups that are online are not backups. Any machine NotPetya could reach, it encrypted. Any backup on a mounted share, it encrypted. Maersk's recovery hinged on one DC that was offline because of an unrelated power outage. That is not a recovery plan. That is a miracle.
Cyber insurance is now a policy question. The Mondelez v. Zurich case around the war exclusion reshaped how insurance contracts treat state-attributed cyber events. Underwriting models from 2018 forward include supply chain exposure as a first-class factor.
Geopolitics is in the dependency graph. If your Ukrainian subsidiary runs accounting software mandated by Ukrainian tax law, you have inherited geopolitical risk whether or not your CISO has a threat model for it. NotPetya is the case that put supply chain geography on the board-level agenda.
How Safeguard Helps
NotPetya is the archetype of the risk Safeguard was built around. Auto-update channels are ingested and inventoried per vendor, with SBOM comparison flagging new update artifacts that deviate from signed baselines. Reachability analysis narrows the blast radius question, which of your running systems actually execute the affected code paths, and Griffin AI drafts network segmentation and patch sequencing plans tuned to your specific topology. Our TPRM module scores suppliers on their own build and update hygiene, so a small vendor with outsized access to your fleet gets the scrutiny its blast radius deserves. Policy gates then prevent unattested vendor updates from being rolled out to production without a second independent review.