NotPetya

On June 27, 2017 — Ukraine's Constitution Day — companies across Ukraine watched their computers reboot, display a CHKDSK message, and then present a Bitcoin ransom demand. Within hours the infection had spread internationally through Windows networks of Ukrainian subsidiaries to the rest of multinational parent companies.

Researchers quickly determined the malware was not really ransomware. The encryption was destructive: the 'installation ID' shown to victims was random bytes with no relationship to the encryption key, meaning paid ransoms could not be acted on. The intent was destruction, not extortion.

The initial vector was a supply-chain compromise of MeDoc, a Ukrainian tax accounting software used by roughly 80 percent of Ukrainian businesses. Sandworm pushed the malicious payload through MeDoc's auto-update mechanism, then used EternalBlue, EternalRomance, and credential theft via Mimikatz to spread laterally — including into multinational networks via VPNs from Ukrainian offices.

Maersk, the world's largest container shipping company, lost its global operations for ten days; its Ghana office happened to be offline during the attack and held the only uncorrupted Active Directory replica, which engineers flew to Maidenhead to rebuild from. The total bill across all victims exceeded $10 billion. In February 2018 the White House publicly attributed NotPetya to Russia and called it 'the most destructive and costly cyber-attack in history.'

NotPetya looked like ransomware but had no functioning decryption — the 'ransom' was theatre to slow attribution. Maersk lost the equivalent of $250–300 million and rebuilt 4,000 servers and 45,000 PCs in ten days. Merck lost ~$870 million and had to borrow HPV vaccines from the CDC stockpile. Insurers refused payouts under 'act of war' exclusions, triggering still-litigated coverage cases.

• Maersk (shipping) — global operations halted 10 days, $250–300M loss
• Merck (pharmaceutical) — ~$870M loss, vaccine production disrupted
• FedEx / TNT Express — $400M loss
• Mondelez, Reckitt Benckiser, Saint-Gobain, WPP, Rosneft, and an estimated 10% of all Ukrainian PCs

• Supply-chain compromise of trusted software updaters can deliver malware inside hardened perimeters in minutes.
• Patching alone is not enough — Mimikatz-style credential theft makes lateral movement trivial once a single host falls.
• 'Cyber act of war' exclusions in cyber insurance policies are a contractual landmine; read your policy.
• Geographic separation of backups is operationally critical: Maersk recovered because of one offline Active Directory replica in Ghana.