NotPetya – The Ten Billion Dollar Worm

In late June 2017, one of the most devastating cyberattacks in history began. The worm NotPetya struck critical infrastructure, corporations, and government systems across the globe, leaving a trail of crippled businesses and billions of dollars in damages in its wake. What follows is a true story. 

This is a transcript of an episode of DNA’s podcast Kyberrosvot (Cyber Crooks), which highlights true stories of cybercrimes, their impact, and what their legacy has to teach us. 

Waves lap gently against the harbour rim in Copenhagen on a sunny June afternoon in 2017. At the headquarters of the world's largest shipping and logistics firm, Møller-Mærsk, employees’ thoughts drift towards the end of the workday. 

Then, something shatters the peaceful atmosphere. It starts with one computer, then another, and then a third. It spreads rapidly to all computers at Møller-Mærsk’s headquarters. The scene is like something out of a disaster movie, but this is actually happening, and what unfolds is worse than anything a screenwriter could conceive. 

The scene is like something out of a disaster movie. 

At the same time, the head of cybersecurity at Ukrainian firm Information Systems Security Partners receives a phone call. Computers at Ukraine's second-largest bank have started shutting down on their own. First, displaying a warning about a hard drive error, then a notification of system file corruption—then the screens went dark. 

Over the next few hours, it becomes evident that whatever is happening at Møller-Mærsk and the Ukrainian bank is happening in large and small companies around the world. Pharmaceutical company Merck, logistics company FedEx, French construction giant Saint-Gobain, a hospital in Pennsylvania, a chocolate factory in Tasmania—all were casualties of the attack.    

The devastation is most severe in Ukraine, where computers crash in at least four hospitals, six energy companies, two airports, twenty-two banks, and nearly all government agencies. 

Ukraine's digital infrastructure is being eaten alive. 

The nuclear bomb of computer viruses 

Møller-Mærsk's IT support is powerless, as are other IT departments around the world. A single guideline spreads from company to company and across the seas: disconnect all computers from the network immediately. It becomes the only way to safeguard computers against the infection spread by the most aggressive and destructive malware of the digital age: NotPetya. 

NotPetya operates in a straightforward and simple manner. It is the nuclear bomb of computer viruses. Although the software promises to restore the files it has destroyed in exchange for crypto ransom, it won’t. Everything it touches is destroyed. After a NotPetya attack, a computer won't boot up, and the data stored within cannot be recovered. It’s lost forever. 

 NotPetya destroys everything it touches. 

Møller-Mærsk employees run from room to room, disconnecting machines from the network. Hundreds of thousands of employees at various companies in Ukraine, Europe, and the United States do the same, racing against the digital tsunami. 

Could a machine evade destruction? Can anyone beat the virus to the punch? 

How do you stop the unstoppable? 

When all viable computers have been located, shut down, and disconnected, there is a deafening silence. Møller-Mærsk employees stare at each other, stunned. As no one really knows what to do next, people begin to trickle out of the offices – without knowing when they can return to work, or what will be waiting for them. 

Møller-Mærsk's 800 cargo ships drift silently on the world's oceans. They’re effectively standing still, because the tens of millions of tons of cargo they carry cannot be directed to any port now. 

NotPetya was born from political turmoil 

Shortly after unmarked Russian troops occupied Crimea in 2014, war began. It was waged through physical means in the eastern provinces of Ukraine, while digital battles raged online. Hacker groups employed by the Russian government launched relentless attacks on Ukrainian data systems. They conducted continuous denial-of-service attacks and data breaches, destroying terabytes of data and doing everything they could to cause chaos in Ukraine. 

Information Systems Security Partners was established as Ukraine’s front line of defense against such attacks, and the people working there became accustomed to working around the clock without time off. 

During Russia's cyberattacks, a hacker group named Sandworm managed to create a backdoor in the M.E.Doc software,, which was used by nearly all companies in Ukraine to file tax information with authorities. Through this backdoor, Sandworm was able to send its NotPetya program to wreak havoc on thousands of computers with the M.E.Doc software installed in June 2017. From there, it spread at an unprecedented speed to different corners of the world, destroying everything in its path. 

NotPetya is a combination of two malware entities. It's like a disease combining the infectivity of COVID-19 with the lethality of Ebola. It is based on intrusive software developed by US intelligence agency NSA, which exploits a vulnerability in the Windows operating system and enables infiltration of the target device and installation of excess code.

The other half of the equation is Mimikatz, a proof-of-concept program developed by a French researcher, which was created to demonstrate how the passwords of a Windows user can be unearthed from the computer's memory stores. By implementing parts of NSA's code, Sandworm was able to turn Mimikatz into NotPetya, which they would eventually unleash upon the internet. 

It's hard to imagine a nastier malware than NotPetya. It took down the entire computer system of one Ukrainian bank in 45 seconds. A data transmission demo environment by Information Systems Security Partners was destroyed in 16 seconds. And so on. 

It took down the entire computer system of one Ukrainian bank in 45 seconds. 

NotPetya's rapid spread surprised all cybersecurity experts. Possibly even the Sandworm hackers themselves were caught off guard, since the rampage of the virus also hit Russia's state-owned oil company Rosneft. 

NotPetya attacked Møller-Mærsk in Odessa, a port city on the Black Sea, where the company's local finance manager had installed M.E.Doc software on their computer. 

That was all it took. 

The aftermath – and a small miracle 

Nearly a week after the devastation Møller-Mærsk's systems are still out of commission. A 24/7 crisis centre has been set up in England’s Maidenhead, where 200 consultants and 400 of the shipping company's own IT experts work tirelessly to return Møller-Mærsk from this new-found dark age into present day. All computers at nearby electronics stores have been sold out, as the crisis centre employees had to purchase new laptops to replace the destroyed ones. Commercially available prepaid Wi-Fi access points are used for internet connectivity. 

All nearby electronics stores have been completely depleted. 

No computer infected with NotPetya is allowed to be switched on, to prevent the devastation from starting again Møller-Mærsk's giant global information system operations are distributed across over 150 DNS servers and the software controlling them. In emergency situations servers can be utilised as backups for one another, so in theory, operations could be restored with as little as a single functioning server. However, no one was prepared for a situation where every single DNS server would be destroyed. There is simply no functioning device left to rebuild the system from. 

Without DNS servers and the global information system they support, Møller-Mærsk will simply cease to exist. 

Then a miracle happens. One of Møller-Mærsk's remote offices in Ghana experienced a power outage as NotPetya crushed computers in its path. After a quick investigation, it is confirmed that a clean DNS server with untouched software is located in Ghana; the challenge is now to figure out how to transport several hundred gigabytes of software to England. Network speeds at the Ghana offices are so slow that data transfer would take days. The fastest way to get the software to Maidenhead is to grab a hard drive and take a trip from Nigeria to London. 

Which is exactly what happened. 

Three weeks after the devastation, Møller-Mærsk employees start receiving new laptops at the Copenhagen headquarters and hundreds of other offices. They are running familiar Windows operating systems with antivirus software, but nothing else seems familiar. All personal files stored locally, including photos, memos, and contacts, are gone. In a short timespan 45,000 new laptops and 4,000 new mainframe units are put into service, all running the latest Windows operating system. 

All personal files are gone. 

Møller-Mærsk's IT systems were largely in good condition when NotPetya was unleashed. However, some of servers were running an outdated version of Windows 2000, for which Microsoft had stopped providing support and security updates after 2010. Still, the only substantial culprit for the damage NotPetya wrought is the hacker group who developed and spread it. 

The extent of NotPetya’s trail of destruction 

Møller-Mærsk was just one of many impacted, but the company’s story is the most well-known. Some companies whose IT infrastructure was destroyed have been reluctant to provide detailed information. Some fear that a detailed description of the damages would reveal too much about the vulnerabilities of their systems, and poorly managed cybersecurity measures. 

However, several companies have disclosed – due to legislation affecting public companies – their financial losses caused by NotPetya. The sums include both the costs of rebuilding IT infrastructure and the value of lost business. 

Pay close attention – these figures are in the nine digits: 

  • Pharmaceutical company Merck: losses of $870 million. 
  • Transportation and logistics company FedEx: losses of $400 million. 
  • Construction company Saint-Gobain: repair costs amounted to $384 million. 

And so on. 

Considering these figures, Møller-Mærsk seems to have fared better than many others, as the shipping company estimated its damages at $300 million. 

In total, the most terrifying worm in the history of cyberspace caused ten billion dollars worth of damages. It happened in an instant – in a matter of minutes – on a sunny afternoon in Copenhagen. 

What should we learn from this? 

DNA's Cybersecurity Business Manager Juho Saarinen summarises the story's three key takeaways as follows: 

1. No one is exempt from the threat of cybercrime 

2. A small business can provide a pathway to attack a larger enterprise. 

3. Backups must always be kept in order. 


With DNA’s comprehensive data security services, your company’s daily life will function safely, efficiently, and appropriately in all