Cyber Incident Victim: Rosneft

On June 27, 2017, Russian oil company Rosneft experienced a large-scale cyberattack as part of a global ransomware campaign initially identified as Petya but later classified as NOTPetya by cybersecurity firm Kaspersky Lab. The attack targeted Rosneft's servers, prompting the company to publicly disclose the incident via Twitter while suggesting possible connections to ongoing court proceedings. Rosneft immediately activated contingency measures by switching to a reserve control system, which prevented operational disruptions to oil production and preparation processes. The company contacted law enforcement authorities to investigate the attack and maintained that any technical issues arising from the incident were resolved promptly. By June 28, Rosneft confirmed its production systems remained unaffected and operations continued normally, though it refrained from providing a full assessment of the attack's impact at that stage.

The NOTPetya malware employed in the attack differed from conventional ransomware by targeting low-level disk structures rather than encrypting individual files, effectively denying system access. Kaspersky Lab identified it as a previously unseen ransomware variant propagating through multiple attack vectors, including a modified EternalBlue exploit for lateral movement within corporate networks. Global telemetry data indicated approximately 2,000 affected users, with concentrated impacts in Russia and Ukraine alongside incidents in Poland, Italy, the UK, Germany, France, and the US. While Rosneft contained the incident through redundant control systems, other major organizations including Maersk and Ukrainian government entities reported significant disruptions, with Maersk shutting down IT systems across multiple sites and terminals. The attackers demanded $300 in Bitcoin for decryption keys, though the ransomware's design prioritized disruption over financial gain through its destructive encryption mechanism.