Cyber Incident Victim: DLA Piper
Date:
Jun 2017
Location:
Ukraine
Summary
A ransomware attack attributed to the "Petya" or "NotPetya" malware variant disrupted operations across multiple organizations in Europe and the US, including a legal firm, government entities, energy infrastructure, shipping companies, and healthcare providers. The attack encrypted files and demanded Bitcoin payments, but victims were unable to contact attackers for decryption keys after the associated email service was terminated. It exploited the EternalBlue vulnerability previously linked to WannaCry, alongside network administrator tools, to propagate within systems. Critical infrastructure impacts included disabled radiation monitoring at Chernobyl, halted banking operations, and paralyzed corporate IT systems, though some utilities maintained service despite network compromises. The incident caused widespread operational disruptions but did not facilitate ransom recovery for affected entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The Petya ransomware attack, first detected on June 27, 2017, caused widespread disruption across multiple countries, with Ukraine experiencing the most severe initial impact. The attack compromised Ukrainian government systems, including the deputy prime minister’s office, which publicly confirmed a complete IT shutdown through a social media post showing a darkened computer screen. Critical infrastructure sectors in Ukraine were heavily affected: the central bank reported operational disruptions at financial institutions, the state power utility Ukrenergo suffered system compromises, and the Chernobyl nuclear site’s radiation monitoring systems were forced offline, requiring manual measurements with handheld counters. Kiev’s Boryspil International Airport and metro system also experienced outages. The malware rapidly spread beyond Ukraine, impacting multinational corporations including advertising conglomerate WPP, French construction materials firm Saint-Gobain, Russian energy company Rosneft, and steel producer Evraz. In the United States, Pittsburgh-based Heritage Valley Health System’s hospital networks and global law firm DLA Piper reported system compromises. Danish shipping giant AP Moller-Maersk confirmed complete IT system failures across all business units, including container shipping operations, port facilities, and oil tanker management systems.
Technical analysis revealed the ransomware exploited the EternalBlue vulnerability—a Windows SMB protocol weakness originally developed by the NSA and leaked by the Shadow Brokers hacker group—which had also been leveraged in the earlier WannaCry attacks. Unlike WannaCry’s email-based propagation, Petya employed multiple lateral movement techniques, including credential theft and targeting network administration tools, enabling rapid spread even within organizations that had patched against EternalBlue. Victims encountered ransom notes demanding $300 in Bitcoin but discovered the attackers’ designated Posteo email account for payment confirmation had been disabled by the provider, eliminating decryption key retrieval options. Cybersecurity firms offered conflicting assessments, with Kaspersky Labs identifying it as a novel ransomware variant (“NotPetya”) affecting over 2,000 users globally, while others classified it as a modified Petya strain. The attack caused operational paralysis at major entities: Maersk temporarily halted terminal operations across 17 sites, Mondelez reported global system outages, and Ukrainian financial institutions struggled to process transactions. No reliable recovery method emerged due to the payment system failure, forcing organizations to rely on system restoration from backups where available.