Cyber Incident Victim: Liuks Radio

The 2017 Ukraine ransomware attacks, commonly referred to as NotPetya, began on June 27 with the distribution of malicious code through the compromised update mechanism of M.E.Doc, a Ukrainian tax accounting software developed by Intellect Service. M.E.Doc’s update server was hijacked to push ransomware disguised as a routine software patch, exploiting its widespread adoption across Ukrainian businesses—approximately 400,000 customers and 1 million installations. The malware, a modified variant of Petya ransomware, leveraged the EternalBlue exploit targeting unpatched Windows systems, particularly those using Server Message Block (SMB) protocols. Upon execution, it encrypted the Master File Table, forced system reboots, and displayed a ransom demand for $300 in Bitcoin. However, security analysts quickly identified NotPetya’s destructive intent: it overwrote files irreversibly in many cases and employed Mimikatz to harvest credentials from memory, enabling lateral movement across networks. The attack coincided with Ukraine’s Constitution Day holiday, maximizing disruption as government offices were unstaffed.

Initial infections crippled Ukrainian critical infrastructure, including the radiation monitoring system at Chernobyl Nuclear Power Plant, ministries, banks (Oshchadbank, Ukrsotsbank), transportation networks (Ukrainian Railways, Kyiv Metro), and telecommunications providers (Kyivstar, Ukrtelecom). Over 80% of infections occurred in Ukraine, per ESET data, with secondary impacts in Germany, France, Russia, and the U.S. due to global corporate networks. Multinational companies like Maersk, Merck, FedEx (via TNT Express), Reckitt Benckiser, and Saint-Gobain reported severe operational disruptions, with Merck’s manufacturing systems halted for weeks. The malware propagated via M.E.Doc’s update and EternalBlue, but its indiscriminate spread suggested poor containment design. Ukrainian authorities declared the attack “halted” on June 28 through cybersecurity interventions, though recovery efforts persisted for months.

On July 4, Ukrainian police raided Intellect Service’s offices, seizing servers after discovering a backdoor in M.E.Doc’s update system dating to at least May 15. Investigators confirmed the attackers had compromised the updater weeks before the attack, enabling stealthy payload deployment. The Security Service of Ukraine (SBU) attributed the attack to Russian military intelligence (GRU), citing code similarities to prior operations by the TeleBots group, which had targeted Ukrainian energy and financial sectors since 2014 using BlackEnergy malware. The SBU noted the attackers’ focus on Ukrainian infrastructure but acknowledged collateral damage abroad. By early July, Bitcoin wallets linked to the attack had collected $10,000, though ransom payments proved futile due to NotPetya’s data-destructive design.

Global financial losses exceeded $10 billion, with Merck reporting $870 million in damages, FedEx $400 million, and Maersk $300 million. Reckitt Benckiser cited a 2% quarterly sales decline ($130 million) from supply-chain disruptions. Ukrainian entities like Oshchadbank restored operations by July 3, but TNT Express’ delivery networks remained impaired into August. The U.S. CIA and UK Ministry of Defence later formally attributed NotPetya to Russia, calling it a state-sponsored attack disguised as ransomware. Microsoft’s March 2017 EternalBlue patches could have prevented spread, but unpatched systems—particularly in Ukraine’s public sector—enabled rapid propagation. The incident underscored systemic vulnerabilities in software supply chains and critical infrastructure, with M.E.Doc’s central role highlighting risks in trusted third-party updates.