threatintel
actor tracker
Named attack · kill-chain walkthrough

NotPetya

Destructive wiper masquerading as ransomware

Sandworm (GRU Unit 74455)June 27, 2017High confidence

Attributed by the U.S., U.K., Australia, Canada, and allies to Russian GRU Unit 74455 (Sandworm) in February 2018. Six GRU officers indicted by the U.S. Department of Justice in October 2020.

Sandworm weaponized a trojanized update to M.E.Doc — Ukraine's dominant tax-accounting software — to detonate a wiper across Ukraine and the global supply chain simultaneously. NotPetya encrypted Master File Tables and overwrote MBRs with an unrecoverable fake ransom note, causing an estimated $10 billion in worldwide damage. It was the most destructive cyberattack in history at the time.

scene 00 / 07
INITIAL ACCESS · EXECUTION · CREDENTIAL ACCESS · LATERAL MOVEMENTSandwormGRU Unit 74455compromised months priorM.E.Doc update serverLinkos Grouptrojanized by SandwormT1195.002auto-updateUkrainianbusinessesM.E.Doc usersezvit.exerundll32 perfc.datT1059.003 · T1218.011perfc.dat027cc450…Mimikatz modulereads LSASScleartext passwordsNTLM hashes · Kerberos ticketsT1003.001lsass.exememoryWorm SpreadEternalBlue · EternalRomanceCVE-2017-0144 · CVE-2017-0145T1210PsExec + WMICwith harvested credsT1021.002 · T1047infectedhosthosthosthosthosthosthosthosthosthosthosthostSMB broadcast sweeptoken impersonationT1134 · T1016self-propagating, no C2required post-dropDEFENSE EVASION · PERSISTENCE · IMPACTMFT encryptedNTFS Master FileTable destroyedT1485MBR overwrittencustom bootloaderfake ransom screenT1561.002~$10B damageMaersk · Merck · FedExMondelez · Ukraine govWhite House attribution, Feb 2018schtasksreboot in ~1 hourspread first,then destroyT1053.005ransom screen (masquerade)"Send $300 BTC to recover files"installation ID: [random — never sent]T1036 · no recovery possiblemasqueraded as Petya ransomwarepayment address never monitored— pure destructive wiper$no decryption key existsdata permanently destroyedAttribution: US Dept of Justice indictment Oct 2020 · UK NCSC, Australian ASD, Canadian CSE, New Zealand GCSBSandworm (GRU 74455) · Operation: destructive wiper targeting Ukraine infrastructure · deployed 27 June 2017
  1. Phase 01 · Initial AccessTA0001

    Operators trojanized the M.E.Doc update server months before the attack

    • M.E.Doc (made by Linkos Group) is used by ~80% of Ukrainian companies for tax reporting; Sandworm compromised the update infrastructure well before June 27.
    • A malicious update was pushed on June 27, 2017; any M.E.Doc installation that auto-updated received the backdoored ezvit.exe.
    • The update was digitally signed with Linkos Group's certificate, making it indistinguishable from a legitimate update to endpoint defenses.
    • Three earlier trojanized M.E.Doc updates (April and May 2017) seeded a persistent backdoor on victim networks before the destructive payload was activated.
    Techniques
    T1195.002 · Supply Chain Compromise: Software Supply Chain
    Sources
  2. Phase 02 · ExecutionTA0002

    ezvit.exe invoked rundll32 to load and execute the wiper DLL

    • The trojanized M.E.Doc update modified ezvit.exe to launch a packed DLL via rundll32.exe — a signed system binary — reducing suspicion.
    • The DLL (perfc.dat) contained the credential harvester, EternalBlue/EternalRomance exploit code, and the wiper logic in a single payload.
    • Execution required no user interaction beyond the scheduled auto-update check, enabling simultaneous detonation across all infected hosts.
    Techniques
    T1059.003 · Command and Scripting Interpreter: Windows Command ShellT1218.011 · System Binary Proxy Execution: Rundll32
    Indicators
    perfc.dat — Primary wiper DLL, loaded via rundll32027cc450ef…d3a745 — NotPetya wiper DLL (perfc.dat) — CISA TA17-181A
    Sources
  3. Phase 03 · Credential AccessTA0006

    A bundled Mimikatz module harvested cleartext credentials from every logged-on user

    • NotPetya carried a custom Mimikatz-derived module that read LSASS process memory to extract plaintext passwords, NTLM hashes, and Kerberos tickets for all interactively logged-on accounts.
    • Because Windows credential caching (WDigest) remained enabled on many systems, cleartext passwords were available — a single admin session anywhere on the network was sufficient.
    • Harvested credentials were stored in memory and immediately fed to the lateral-movement module; nothing was written to disk or exfiltrated.
    Techniques
    T1003.001 · OS Credential Dumping: LSASS Memory
    Sources
  4. Phase 04 · Lateral MovementTA0008

    EternalBlue + EternalRomance plus credential reuse turned one host into a worm

    • EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0145) — NSA exploits leaked by Shadow Brokers in April 2017 — gave unauthenticated remote code execution over SMB to any unpatched Windows host on the same network.
    • On networks where EternalBlue/EternalRomance were blocked by patching, NotPetya fell back to PsExec and WMIC remote execution using the Mimikatz-harvested credentials.
    • The dual-vector design meant that even fully patched networks were at risk if a single privileged account had been cached on the initially infected host.
    • Propagation was fully automated: each newly infected host immediately began scanning and attacking its neighbors, producing exponential spread within minutes.
    Techniques
    T1210 · Exploitation of Remote ServicesT1570 · Lateral Tool TransferT1021.002 · Remote Services: SMB/Windows Admin SharesT1047 · Windows Management Instrumentation
    Sources
  5. Phase 05 · Defense EvasionTA0005

    Disguised as ransomware — but the installation key was a random number with no recovery path

    • The reboot screen displayed a Bitcoin address and a demand for $300, mimicking the Petya ransomware family to mislead responders into treating it as a criminal extortion rather than a nation-state wiper.
    • The 'installation ID' shown to victims was a randomly generated value never transmitted to any server — no decryption key existed or could ever be retrieved.
    • By presenting as financially motivated ransomware, the malware bought time before organizations recognized the true destructive intent.
    Techniques
    T1036 · Masquerading
    Sources
  6. Phase 06 · PersistenceTA0003

    A scheduled task guaranteed the wiper ran after a one-hour countdown reboot

    • NotPetya created a Windows scheduled task to reboot the machine after approximately one hour, giving the MFT encryption time to complete before the destructive reboot.
    • The delayed reboot also allowed the lateral-movement phase to run fully before the host became unavailable, maximizing spread before administrators could intervene.
    • No long-term persistence mechanism was installed — the payload was designed to destroy, not to maintain access.
    Techniques
    T1053.005 · Scheduled Task/Job: Scheduled Task
    Sources
  7. Phase 07 · ImpactTA0040

    MFT encrypted, MBR overwritten — data permanently unrecoverable, $10B in global damage

    • NotPetya XOR-encrypted the Master File Table of NTFS volumes, rendering all files on the disk inaccessible without rebuilding the entire volume.
    • It also overwrote the Master Boot Record with a custom bootloader that displayed the fake ransom note on every reboot, preventing OS startup.
    • File contents were additionally encrypted in a way that would have been unrecoverable even if a valid key had existed, confirming wiper intent.
    • Maersk (shipping) rebuilt 4,000 servers and 45,000 workstations in 10 days. Losses: Merck (~$870M), FedEx/TNT (~$400M), Mondelez (~$188M). The White House estimated total worldwide damage at ~$10 billion.
    • Six GRU Unit 74455 officers were indicted by the U.S. Department of Justice in October 2020 for their role in deploying NotPetya.
    Techniques
    T1485 · Data DestructionT1561.002 · Disk Wipe: Disk Structure Wipe
    Sources
Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Sandworm (GRU Unit 74455)
Capability
  • T1195.002
  • T1059.003
  • T1218.011
  • T1003.001
  • T1210
  • +1 more
Infrastructure
Victim
  • See narrative above
Primary sources