On June 27, 2017, a quiet morning turned into one of the darkest days in cybersecurity history. What appeared at first to be just another ransomware wave quickly revealed itself as something entirely different — something far more destructive. Within hours, a piece of malware disguised as ransomware would topple banks, halt shipping ports, shut down pharmaceutical plants, and nearly bring global trade to a standstill.

This wasn’t about money. It was about destruction.

This is the full, unbelievable story of NotPetya — the most damaging cyberattack ever unleashed — and how a powerless server in Ghana accidentally saved one of the world’s largest companies.

Before NotPetya: Years of Digital Warfare in Ukraine

To understand NotPetya, you have to understand the battlefield. Since 2014, Ukraine and Russia have been locked in both physical and digital conflict. While the world focused on the annexation of Crimea and the war in Donbass, a parallel war was unfolding in cyberspace.

Enter Sandworm, also known as APT44 — a Russian GRU hacking unit infamous for highly destructive malware.

In December 2015, Sandworm executed the first-ever successful cyberattack on a nation’s power grid. Using BlackEnergy malware, they remotely opened breakers and cut electricity to 230,000 Ukrainians in the middle of winter. They even wiped recovery systems to ensure crews couldn’t quickly restore power.

One year later (2016), they struck again with an even more sophisticated tool — Industroyer — designed not just to disrupt electrical equipment, but to physically destroy it.

Both attacks were unprecedented. But Sandworm wasn’t done.

Not even close.

The Weak Link: A Tiny Ukrainian Accounting Company

Their next target wasn’t a power plant. It wasn’t a government office.

It was M.E.Doc, the mandatory accounting and tax-filing software used by 80% of Ukrainian businesses — the Ukrainian equivalent of making TurboTax required for every company.

M.E.Doc was created by a small family-run business, Linkos Group, led by Olesya Linnik. The software dominated its niche, but the company had a fatal flaw:

Security was practically nonexistent.

Investigations later found:

• servers unpatched for years
• outdated software
• weak internal controls
• no meaningful intrusion detection

For Sandworm, this was the perfect Trojan horse. Why hack thousands of companies individually when one compromised software update could infect them all?

The Warm-up Attack

Researchers believe Sandworm infiltrated M.E.Doc’s update servers months before NotPetya. Their first “test run” came on May 18, 2017, when they pushed a ransomware variant called XData through the update channel.

It worked.

And now they knew they could deliver something far worse.

The Birth of NotPetya

Sandworm took the Petya ransomware, ripped out its financial functionality, rewrote major components, and built a hybrid cyberweapon disguised as ransomware.

The result?

NotPetya — a wiper pretending to be ransomware.
A weapon designed not to extort, but to erase.

The date chosen for the attack — June 27, 2017 — was no accident. The next day was Ukrainian Constitution Day, a national holiday. Many businesses were already closing early. IT teams were understaffed. Perfect conditions for chaos.

At 10:30 AM, a malicious M.E.Doc update went live.

Within minutes, Ukraine descended into digital catastrophe.

What Made NotPetya the Perfect Cyberweapon

NotPetya used a devastating combination of techniques to spread at unprecedented speed:

1. EternalBlue (the same NSA exploit used by WannaCry)

If Windows wasn’t patched with MS17-010, NotPetya spread automatically.

2. Mimikatz credential harvesting

Even patched systems weren’t safe. NotPetya stole employee passwords from memory.

3. Legitimate Windows tools turned into weapons

It used:

• PsExec
• WMI

…to traverse networks like a legitimate admin process.

This meant firewalls were useless. Antivirus was useless. Even segmentation often failed.

But the real trick? It wasn’t ransomware at all.

NotPetya destroyed:

• the Master Boot Record (MBR)
• the Master File Table (MFT)

Result: total data loss, even if victims paid.

The email address for “decryptions” was suspended immediately. There was never any intention of letting anyone recover their files.

Ukraine Collapses in Minutes

Government ministries, media outlets, energy companies, banks — everything went dark.

• Kyiv’s metro shut down
• ATMs stopped working
• Boryspil Airport reverted to whiteboards
• TV studios broadcast from backup locations
• Even Chernobyl’s radiation sensors failed

Ukraine was digitally paralyzed.

But the attack didn’t stop there.

The Malware Jumps the Border

Global companies connected to Ukrainian offices through VPNs were instantly compromised.

The most famous victim?
Maersk, the largest shipping company on the planet.

A single infected PC at its tiny Odessa office was enough to ignite a global IT meltdown.

Maersk’s Entire Network Collapsed in One Hour

Employees watched helplessly as thousands of machines displayed:

“Repairing file system on C:”

Then, one by one, all screens went black.

Ports Shut Down Worldwide

Maersk operates:

• 76 ports
• 800+ ships
• ~20% of global container traffic

When Maersk goes down, global trade slows to a crawl.

At Rotterdam, the largest port in Europe, cranes froze mid-operation. Hundreds of trucks formed endless lines. Thousands of containers piled up with no way to track, move, or clear them.

The Most Devastating Blow: Active Directory Wiped Out

Maersk had 150 domain controllers worldwide.

NotPetya destroyed every single one.

Without Active Directory, the entire global network was dead.

Maersk was essentially a $60 billion company with no functioning computers.

The Ghana Miracle

Amid the chaos, someone remembered a small office in Accra, Ghana.

That morning, a simple power outage had knocked their local domain controller offline.

It was the only surviving domain controller Maersk had left on Earth.

When Maersk realized this, one engineer described the moment as:

“Like discovering the Holy Grail.”

They rushed to retrieve the server:

• an employee grabbed the hard drive by hand
• flew to Lagos
• caught a flight to London
• took a taxi to Maersk’s IT hub in Maidenhead

That drive became the seed for rebuilding Maersk’s entire global infrastructure.

The Largest IT Rebuild in Corporate History

For 10 days, Maersk ran in emergency mode:

• employees used WhatsApp to coordinate
• operations ran on pen and paper
• staff slept under desks
• warehouses dug up 1990s PCs immune to infection
• teams installed pirated Windows copies just to function

They ordered thousands of new PCs so fast that Apple, HP, and Dell ran out of inventory.

The total cost? $250–300 million.
And they were lucky.

Without that Ghana server, damage could have reached billions.

Other Global Victims

NotPetya didn’t just graze other companies—it obliterated them.

Merck — $870 Million Lost

Merck’s vaccine production halted. Entire batches of critical drugs were destroyed because digital quality records were wiped.

FedEx/TNT Express — $400 Million Lost

Some TNT data was erased permanently. Collected packages disappeared from tracking systems entirely.

Mondelez — $188 Million Lost

Oreo and Cadbury production lines stopped. Factories reverted to 1980s-style paper forms.

Saint-Gobain — $384 Million Lost

Their CEO described the internal damage as:

“Like amputating limbs to save the body.”

Total worldwide damages exceeded $10 billion.

Who Was Behind NotPetya?

In February 2018, the U.S. and U.K. officially attributed NotPetya to Russia’s GRU, specifically Unit 74455 — Sandworm.

In October 2020, the U.S. indicted six GRU officers:

• Yuriy Andrienko
• Sergey Detistov
• Pavel Frolov
• Anatoliy Kovalev
• Artem Ochichenko
• Petr Pliskin

The U.S. State Department offered $10 million for information on them.

Whether they’ll ever be arrested is another story.

The Fallout at M.E.Doc

When investigators raided Linkos Group, they found:

• no proper patching
• outdated servers
• four years of missing updates

Ukrainian cyber police were furious.

Company executives initially denied responsibility — even insisting the software was “100% clean.” Eventually, they admitted their servers had been compromised since at least April 2017.

Their negligence enabled a global catastrophe.

Conclusion:

NotPetya wasn’t a ransomware outbreak.
It wasn’t even a cybercrime campaign.

It was a cyberweapon.

A digital bomb that spread uncontrollably across the world, crippling critical infrastructure and costing more than $10 billion in damages. It proved that:

• small software vendors can become global threat vectors
• cyberattacks can disrupt the world economy
• nation-state malware doesn’t respect borders

And it exposed just how fragile our interconnected systems really are.

A single infected accounting app in Ukraine broke global shipping, delayed medical treatments, shut down factories, and forced governments to rethink cyber defense strategy.

The next attack could be even bigger — and next time, we may not get as lucky as that offline server in Ghana.

sources

Claburn, T. (2020). Pirates without borders: The propagation of malware and the economic impact of major cyber events. Federal Reserve Bank of New York. https://www.newyorkfed.org/medialibrary/media/research/staff_reports/sr937.pdf

Collier, K. (2017). Maersk says cyberattack could cost up to $300 million. CNBC. https://www.cnbc.com/2017/08/16/maersk-says-notpetya-cyberattack-could-cost-300-million.html

Greenberg, A. (2018). The untold story of NotPetya, the most devastating cyberattack in history. WIRED. https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

HIPAA Journal. (2020). Six Russian GRU hackers indicted for NotPetya and other attacks. https://www.hipaajournal.com/6-russian-hackers-indicted-for-offensive-cyber-campaigns-including-2017-notpetya-wiper-attacks/

HYPR. (n.d.). NotPetya. Security Encyclopedia. https://www.hypr.com/security-encyclopedia/notpetya

Hutchins, R. (2017). Analysis of the NotPetya malware: Why it was never ransomware. Microsoft Security Blog. (Original analysis referenced widely; archived summaries available.) https://www.microsoft.com/security/blog/

Lee, R. M., Assante, M. J., & Conway, T. (2017). Timeline of events and ICS implications of NotPetya. SANS Institute. https://www.sans.org

National Cyber Security Centre (NCSC). (2018). Russian military ‘almost certainly’ responsible for NotPetya attack. UK Government. https://www.ncsc.gov.uk/news/statement-russia-notpetya-cyber-attack

New York Times. (2017). Cyberattack hits Ukraine and spreads internationally. https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html

Sanger, D. E. (2018). The perfect weapon: War, sabotage, and fear in the cyber age. Crown Publishing. (Chapter on NotPetya includes attribution and geopolitical context.)

Symantec. (2017). NotPetya: Technical analysis and indicators of compromise. Symantec Security Response. https://symantec-enterprise-blogs.security.com

Talos Intelligence. (2017). Nyetya: NotPetya technical analysis and malware behavior. Cisco Talos. https://blog.talosintelligence.com/

White House. (2018). Statement on the NotPetya cyberattack. (Cited widely by media as source of the “>$10B damages” estimate.) https://trumpwhitehouse.archives.gov

Zetter, K. (2018). How NotPetya spread and became one of the most costly cyberattacks of all time. Motherboard / VICE. https://www.vice.com

World Economic Forum. (2018). Global Risks Report 2018 (cyberattack analysis excerpted includes NotPetya case study). https://www.weforum.org/reports