Cyber Incident Victim: Epicenter
Date:
Jun 2017
Location:
Ukraine
Summary
A ransomware cryptoworm dubbed Petya.A targeted Ukrainian infrastructure, disrupting government systems, banks, energy providers, media outlets, transport services, and critical enterprises through mass phishing emails and exploitation of Windows vulnerabilities. The malware encrypted entire hard drive partitions, demanding Bitcoin payments, and spread rapidly via EternalBlue exploits and network propagation tools like psexec.exe, causing widespread operational paralysis including ATM failures, payment system outages, airport disruptions, and radiation monitoring failures at Chornobyl. The attack also impacted international entities such as Maersk, Rosneft, and Cadbury, with initial infections traced to compromised Ukrainian accounting software, highlighting its cross-border reach despite Ukraine being the primary target.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 27, 2017, a widespread cyberattack utilizing Petya.A ransomware targeted Ukrainian critical infrastructure, government institutions, and private enterprises. The incident began around 15:00 local time with a mass email campaign distributing malicious attachments that executed the ransomware upon opening. Initial reports identified infections at Oshchadbank state bank, where ATMs ceased functioning, and energy companies Dniproenergo, Zaporizhzhiaenergo, and Kyivenergo, where approximately 99% of computers were encrypted. The malware encrypted entire hard drive partitions on Windows systems, unlike WannaCry's file-specific approach. By 16:40, the National Police and Cyber Police websites became inaccessible, while the Cabinet of Ministers reported complete network failure through Deputy PM Pavlo Rozenko’s social media post. Media entities including 24 Kanal TV, Radio Luks, and Korrespondent.net experienced broadcast interruptions and website outages. Transport infrastructure was compromised at Boryspil International Airport, forcing manual check-ins, and Kyiv Metro suspended electronic payment systems. The State Service of Special Communication confirmed operational disruptions across multiple sectors but noted protected government e-resources remained unaffected.
The attack rapidly expanded beyond Ukraine, affecting multinational corporations including Danish shipping firm Maersk, Russian oil company Rosneft, British advertising conglomerate WPP, and Cadbury’s Australian factory. ESET’s telemetry indicated Ukraine as the primary target, with infection rates far exceeding other countries. Cybersecurity analyses revealed the malware exploited EternalBlue (previously used by WannaCry), PsExec, and Windows Management Instrumentation Command-line (WMIC) for lateral movement. Ransom demands of $300 in Bitcoin were issued, though TrendMicro reported the payment portal email was deactivated, rendering decryption impossible. Ukrainian Cyberpolice preliminarily attributed initial infections to vulnerabilities in M.E.Doc accounting software. Containment efforts included creating a "perfc" file in Windows directories to block malware execution, as identified by researcher Amit Serper. By June 28, Ukraine’s Prime Minister Groysman declared vital systems intact, and the National Bank assured financial sector stabilization. The incident caused temporary operational paralysis across 300,000 computers globally but did not compromise Ukraine’s electronic state registries or critical cyberdefense infrastructure.