Imagine waking up one day, turning on your computer, and… nothing works. Files are gone, programs won’t open, and your business is at a standstill. This nightmare became reality in June 2017, thanks to a cyberattack called NotPetya.

It wasn’t just any ransomware — something designed to lock your files until you pay money. NotPetya was different. Its creators didn’t care about money. Their goal was chaos.

Key Characteristics:

  • Infectious Nature: NotPetya spread using EternalBlue, which is a weakness (or “bug”) in Windows computers that hackers can exploit to take control remotely. It’s similar to how the WannaCry malware spread.

  • Wiper Functionality: Instead of just locking your files, NotPetya overwrote the Master Boot Record (MBR) and the Master File Table (MFT).

    • MBR is like the “starter” of your computer — it tells your computer how to boot up. If it’s overwritten, your computer won’t start.

    • MFT is like the “table of contents” for all files on your computer. If it’s destroyed, the files can’t be found or used.

  • Delivery Mechanism: Hackers tricked people into downloading it through a software update from M.E.Doc, a popular accounting program in Ukraine. The update itself was compromised, meaning hackers secretly added the malware to it.

    How Did It Work?

    1. Initial Infection: Users downloaded the M.E.Doc update, which secretly contained NotPetya.

    2. Lateral Movement: Once inside a network, NotPetya spread to other computers using:

      • EternalBlue (the Windows bug)

      • PsExec: a tool that lets someone run programs on other computers in the network. Think of it as “remote control for computers.”

      • WMIC (Windows Management Instrumentation Command-line): another tool that lets hackers manage other computers remotely.

    3. Payload Execution: The malware overwrote the MBR and MFT, making computers unusable. Files were “encrypted” (locked), but in a way that could not be undone — meaning no one could pay a ransom to get their files back.

    4. Credential Harvesting: NotPetya tried to steal login credentials (usernames and passwords) to move to more computers in the network.

    5. Ransom Note Display: It showed a ransom message, but even paying it wouldn’t recover files. The purpose was disruption, not money.

    Global Impact

    NotPetya affected organizations around the world:

    • Ukraine: The main target. Government systems, banks, and utilities were hit hard.

    • Multinational Corporations: Companies like Maersk (shipping), FedEx, and Merck suffered huge losses. Maersk alone lost over $300 million.

    • Economic Damage: Total damages worldwide were around $10 billion, making it one of the costliest cyberattacks ever.

    Geopolitical Context

    • Sandworm Group: A hacker group linked to Russia’s military intelligence agency (GRU) was blamed for the attack.

    • Objective: The attack aimed to destabilize Ukraine, especially after the 2014 annexation of Crimea by Russia.

    • International Response: The U.S. and the U.K. officially blamed Russia, marking an important moment in cyber diplomacy.

    Simplified Technical Jargon

    Here’s a summary of the technical terms in simple language:

    Term

    Simple Explanation

    EternalBlue

    A security weakness in Windows that lets hackers take over computers remotely.

    Master Boot Record (MBR)

    The first part of a hard drive that tells the computer how to start up.

    Master File Table (MFT)

    A table in your computer that keeps track of where all your files are.

    PsExec

    A tool to run programs on other computers in the network remotely.

    WMIC

    A Windows tool that lets someone manage or control other computers using commands.

    Wiper

    Malware designed to destroy data instead of stealing money.

    Compromised update

    A legitimate software update that’s secretly been altered by hackers to include malware.

    Lessons Learned

    1. Patch Management: Keep systems updated, so hackers can’t exploit known weaknesses.

    2. Network Segmentation: Divide networks into separate sections so malware can’t spread easily.

    3. Incident Response Planning: Have a plan ready for detecting, stopping, and recovering from attacks.

    4. Supply Chain Security: Be careful with software from third parties — attackers often hide malware in trusted software updates.

Do subscribe to THE CYBER TIMES newsletter

Reply

or to participate



Keep Reading

No posts found

© 2025 The Cyber Times Newsletter.

Privacy policy

Terms of use

Powered by beehiiv