2017 Ukraine ransomware attacks

Security experts believe that the NotPetya attack originated from an update of M.E.Doc, a Ukrainian tax accounting package developed by Intellect Service. M.E.Doc was widely used by tax accountants and businesses in Ukraine,{{cite web | url = https://www.nytimes.com/2017/06/28/world/europe/ukraine-ransomware-cyberbomb-accountants-russia.html | title = Ukraine Cyberattack Was Meant to Paralyze, not Profit, Evidence Shows | first = Andrew | last = Kramer | date = 28 June 2017 | access-date = 29 June 2017 | work = The New York Times | archive-date = 29 June 2017 | archive-url = https://web.archive.org/web/20170629022218/https://www.nytimes.com/2017/06/28/world/europe/ukraine-ransomware-cyberbomb-accountants-russia.html | url-status = live }} and Mikko Hyppönen, a security expert at F-Secure, described it as a primary accounting software for many Ukrainian firms. Estimates suggest that M.E.Doc had about 400,000 customers across Ukraine, covering approximately 90% of domestic firms.

M.E.Doc provides periodic updates to its program through an update server. On 27 June 2017, a software update was distributed via M.E.Doc's update server, after which reports of the NotPetya ransomware attack began to appear. British cybersecurity researcher Marcus Hutchins stated, "It looks like the software's automatic update system was compromised and used to download and run malware rather than updates for the software." The company that develops M.E.Doc denied any intentional involvement in the ransomware attack, stating that its own systems were also affected, and that it was cooperating with law enforcement to investigate the incident.{{Cite web | url = https://www.nytimes.com/2017/06/27/technology/global-ransomware-hack-what-we-know-and-dont-know.html | title = Global Ransomware Attack: What We Know and Don't Know | first = Sheera | last = Frenkel | date = 27 June 2017 | access-date = 28 June 2017 | work = The New York Times | archive-date = 27 June 2017 | archive-url = https://web.archive.org/web/20170627204742/https://www.nytimes.com/2017/06/27/technology/global-ransomware-hack-what-we-know-and-dont-know.html | url-status = live }} A similar incident occurred on 18 May 2017, when the XData ransomware spread through a compromised update of M.E.Doc. Hundreds of accounting departments were affected in Ukraine.{{cite news|url=https://ain.ua/2017/05/24/vse-pro-xdata-poka|title=Все, что известно про вирус-вымогатель XData: кто под угрозой и что делать|last=Красномовец|first=Павел|date=24 May 2017|work=AIN.UA|language=ru|access-date=29 June 2017|archive-date=28 June 2017|archive-url=https://web.archive.org/web/20170628183707/https://ain.ua/2017/05/24/vse-pro-xdata-poka|url-status=live}}

The cyberattack involved malware that resembled Petya ransomware but was later found to function as a wiper rather than traditional ransomware. Like the WannaCry ransomware attack in May 2017, NotPetya used the EternalBlue exploit, which targeted a vulnerability in older versions of the Microsoft Windows operating system. When executed, NotPetya encrypted the master boot record (MBR), preventing the operating system from loading. It then displayed a message demanding USD 300 in Bitcoin, but researchers found that data recovery was not possible. The software also spread within networks by exploiting the Server Message Block (SMB) protocol in Windows. Additionally, NotPetya incorporated Mimikatz, a proof-of-concept tool created in 2011 to demonstrate how Windows stored passwords in memory. Attackers used it to extract credentials, escalate privileges, and move laterally across networked systems.

The EternalBlue exploit had been identified before the WannaCry attack, and Microsoft issued patches in March 2017 to address the vulnerability in Windows Vista, Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2012, and Windows Server 2016. Windows 10 was not affected. However, WannaCry spread through systems that ran older, unsupported Windows versions or had not applied the available security patches. In response to the attack, Microsoft issued new patches for Windows XP, Windows Server 2003 and Windows 8 a day after the WannaCry attack.{{Cite web |date=13 May 2017 |title=WCry is so mean Microsoft issues patch for 3 unsupported Windows versions. Decommissioned for years, Windows XP, 8, and Server 2003 get emergency update. |url=https://arstechnica.com/information-technology/2017/05/wcry-is-so-mean-microsoft-issues-patch-for-3-unsupported-windows-versions/ |access-date=1 March 2025 |website=Ars Technica}} Security expert Lesley Carhart stated, "Every method of exploitation that the attack used to spread was preventable by well-documented means."{{cite web | url = http://www.bbc.com/future/story/20170704-the-day-a-mysterious-cyber-attack-crippled-ukraine | title = The day a mysterious cyber-attack crippled Ukraine | first = Christian | last = Borys | date = 4 July 2017 | access-date = 8 July 2017 | work = BBC | archive-date = 7 July 2017 | archive-url = https://web.archive.org/web/20170707211738/http://www.bbc.com/future/story/20170704-the-day-a-mysterious-cyber-attack-crippled-ukraine | url-status = live }}

Security experts determined that the variant of Petya used in the 2017 Ukraine cyberattacks had been modified and was subsequently named NotPetya or Nyetna to distinguish it from the original ransomware. NotPetya encrypted entire files, not just the Master File Table (MFT), and in some cases, functioned as a wiper, permanently destroying or irreversibly altering data, with no known method of recovery.{{Cite web |date=29 June 2017 |title=NotPetya Technical Analysis - A Triple Threat: File Encryption, MFT Encryption, Credential Theft |url=https://www.crowdstrike.com/en-us/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/ |access-date=1 March 2025 |website=CrowdStrike}}{{cite web | url = https://www.reuters.com/article/us-cyber-attack-ukraine-idUSKBN19K1WI | title = Global cyber attack likely cover for malware installation in Ukraine: police official | first = Pavel | last = Polityuk | date = 29 June 2017 | access-date = 29 June 2017 | work = Reuters | archive-date = 29 June 2017 | archive-url = https://web.archive.org/web/20170629141642/https://www.reuters.com/article/us-cyber-attack-ukraine-idUSKBN19K1WI | url-status = live }}{{cite web | url = https://money.cnn.com/2017/06/30/technology/ransomware-cyber-attack-computer/index.html | title = Experts: Global cyberattack looks more like 'sabotage' than ransomware | first = Alanna | last = Petroff | date = 30 June 2017 | access-date = 30 June 2017 | work = CNN | archive-date = 1 July 2017 | archive-url = https://web.archive.org/web/20170701001503/http://money.cnn.com/2017/06/30/technology/ransomware-cyber-attack-computer/index.html | url-status = live }} Some security experts saw that the software could intercept passwords and perform administrator-level actions that could further ruin computer files. They also noted that the software could identify specific computer systems and bypass infection of those systems, suggesting the attack was more surgical in its goal. Unlike the WannaCry software, a "kill switch" was never found in NotPetya, which could have been used to immediately stop its spread.{{cite web | url = https://money.cnn.com/2017/06/28/technology/cyberattack-malware-europol/index.html?iid=EL | title = Europol: There's no 'kill switch' for malware attack | first = Alanna | last = Petroff | date = 28 June 2017 | access-date = 30 June 2017 | work = CNN | archive-date = 19 October 2017 | archive-url = https://web.archive.org/web/20171019080655/http://money.cnn.com/2017/06/28/technology/cyberattack-malware-europol/index.html?iid=EL | url-status = live }} According to Nicholas Weaver of the University of California the hackers had previously compromised M.E.Doc "made it into a remote-control Trojan, and then they were willing to burn this asset to launch this attack."

{{See|Petya (malware)}}

During the attack the radiation monitoring system at Ukraine's Chernobyl Nuclear Power Plant went offline.{{Cite news|url=https://www.independent.co.uk/news/world/europe/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html|title=Chernobyl's radiation monitoring system has been hit by the worldwide cyber attack|last=Griffin|first=Andrew|date=27 June 2017|work=The Independent|access-date=27 June 2017|language=en-GB|archive-date=18 August 2019|archive-url=https://web.archive.org/web/20190818234657/https://www.independent.co.uk/news/world/europe/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html|url-status=live}} Several Ukrainian ministries, banks, metro systems and state-owned enterprises (Boryspil International Airport, Ukrtelecom, Ukrposhta, State Savings Bank of Ukraine, Ukrainian Railways) were affected.{{Cite news|url=https://www.independent.co.uk/news/world/europe/ukraine-cyber-attack-hackers-national-bank-state-power-company-airport-rozenko-pavlo-cabinet-a7810471.html|title=Ukraine cyber attack: Chaos as national bank, state power provider and airport hit by hackers|last=Dearden|first=Lizzie|date=27 June 2017|work=The Independent|access-date=27 June 2017|language=en-GB|archive-date=30 August 2019|archive-url=https://web.archive.org/web/20190830043507/https://www.independent.co.uk/news/world/europe/ukraine-cyber-attack-hackers-national-bank-state-power-company-airport-rozenko-pavlo-cabinet-a7810471.html|url-status=live}} In the infected computers, important computer files were overwritten and thus permanently damaged, despite the malware's displayed message to the user indicating that all files could be recovered "safely and easily" by meeting the attackers' demands and making the requested payment in Bitcoin currency.{{Cite news|url=https://www.bbc.com/news/technology-40442578|title=Cyber-attack was about data and not money, say experts|date=29 June 2017|work=BBC News|access-date=29 June 2017|language=en-GB|archive-date=29 June 2017|archive-url=https://web.archive.org/web/20170629125348/http://www.bbc.com/news/technology-40442578|url-status=live}}
{{Cite web|url=https://arstechnica.com/security/2017/06/petya-outbreak-was-a-chaos-sowing-wiper-not-profit-seeking-ransomware/|title=Tuesday's massive ransomware outbreak was, in fact, something much worse|work=Ars Technica|date=28 June 2017|access-date=28 June 2017|language=en-us|archive-date=17 July 2017|archive-url=https://web.archive.org/web/20170717073820/https://arstechnica.com/security/2017/06/petya-outbreak-was-a-chaos-sowing-wiper-not-profit-seeking-ransomware/|url-status=live}}

The attack has been seen to be more likely aimed at crippling the Ukrainian state rather than for monetary reasons. The attack came on the eve of the Ukrainian public holiday, Constitution Day (celebrating the anniversary of the approval by the Verkhovna Rada (Ukraine's parliament) of the Constitution of Ukraine on 28 June 1996).[http://www.ukrweekly.com/old/archive/1996/529606.shtml 1996: THE YEAR IN REVIEW] {{Webarchive|url=https://web.archive.org/web/20160303190426/http://www.ukrweekly.com/old/archive/1996/529606.shtml |date=3 March 2016 }}, The Ukrainian Weekly (29 December 1996){{Cite news|url=https://www.bbc.com/news/technology-40427907|title='Vaccine' created for huge cyber-attack|last=Lee|first=David|date=28 June 2017|work=BBC News|access-date=28 June 2017|language=en-GB|archive-date=28 June 2017|archive-url=https://web.archive.org/web/20170628072258/http://www.bbc.com/news/technology-40427907|url-status=live}}{{Cite web | url = https://mobile.nytimes.com/2017/06/27/technology/ransomware-hackers.html | title = Cyberattack Hits Ukraine Then Spreads Internationally | date = 27 June 2017 | access-date = 28 June 2017 | work = The New York Times | archive-date = 27 June 2017 | archive-url = https://web.archive.org/web/20170627220429/https://mobile.nytimes.com/2017/06/27/technology/ransomware-hackers.html | url-status = live }} Most government offices would be empty, allowing the cyberattack to spread without interference. In addition, some security experts saw the ransomware engage in wiping the affected hard drives rather than encrypting them, which would be a further disaster for companies affected by this.

A short time before the cyberattack began, it was reported that a senior intelligence officer and head of a special forces detachment unit of the Ukrainian Chief Directorate of Intelligence, colonel Maksym Shapoval, was assassinated in Kyiv by a car bomb.{{cite news|last1=Luhn|first1=Alec|title=Ukrainian military intelligence officer killed by car bomb in Kiev|url=https://www.theguardian.com/world/2017/jun/27/ukraine-colonel-maksim-shapoval-killed-car-bomb-kiev|access-date=28 June 2017|work=The Guardian|archive-date=13 April 2019|archive-url=https://web.archive.org/web/20190413181212/https://www.theguardian.com/world/2017/jun/27/ukraine-colonel-maksim-shapoval-killed-car-bomb-kiev|url-status=live}} Former government adviser in Georgia and Moldova Molly K. McKew believed this assassination was related to the cyberattack.{{cite news|last1=McKew|first1=Molly|title=A killing in Kiev shows how the West continues to fail Ukraine|url=https://www.washingtonpost.com/news/democracy-post/wp/2017/06/27/a-killing-in-kiev-shows-how-the-west-continues-to-fail-ukraine/|date=27 June 2017|access-date=28 June 2017|newspaper=The Washington Post|archive-date=27 June 2017|archive-url=https://web.archive.org/web/20170627195113/https://www.washingtonpost.com/news/democracy-post/wp/2017/06/27/a-killing-in-kiev-shows-how-the-west-continues-to-fail-ukraine/|url-status=live}}

On 28 June 2017 the Ukrainian government stated that the attack was halted, "The situation is under complete control of the cyber security specialists, they are now working to restore the lost data."[https://www.ukrinform.net/rubric-politics/2255698-cyber-attack-on-ukrainian-government-and-corporate-networks-halted.html Cyber attack on Ukrainian government and corporate networks halted] {{Webarchive|url=https://web.archive.org/web/20200511160938/https://www.ukrinform.net/rubric-polytics/2255698-cyber-attack-on-ukrainian-government-and-corporate-networks-halted.html |date=11 May 2020 }}, Ukrinform (28 June 2017)

Following the initial 27 June attack, security experts found that the code that had infected the M.E.Doc update had a backdoor that could potentially be used to launch another cyberattack. On seeing signs of another cyberattack, the Ukrainian police raided the offices of M.E.Doc on 4 July 2017 and seized their servers. M.E.Doc's CEO stated that they were not aware there had been a backdoor installed on their servers, again refuted their involvement in the attack, and were working to help authorities identify the source.{{cite news |last=Satter |first=Raphael |date=5 July 2017 |title=Ukraine says it foiled 2nd cyberattack after police raid |url=https://www.washingtonpost.com/business/technology/ukraine-we-prevented-second-cyberattack/2017/07/05/3cb65202-615f-11e7-80a2-8c226031ac3f_story.html |access-date=5 July 2017 |newspaper=The Washington Post |agency=Associated Press}}{{dead link|date=June 2021|bot=medic}}{{cbignore|bot=medic}}{{Cite web | url = https://www.reuters.com/article/us-cyber-attack-ukraine-backdoor-idUSKBN19Q14P | title = Ukraine scrambles to contain new cyber threat after NotPetya attack | first = Jack | last = Stubbs | date = 5 July 2017 | access-date = 5 July 2017 | work = Reuters | archive-date = 7 July 2017 | archive-url = https://web.archive.org/web/20170707004025/http://www.reuters.com/article/us-cyber-attack-ukraine-backdoor-idUSKBN19Q14P | url-status = live }} Security company ESET found that the backdoor had been installed on M.E.Doc's updater service as early as 15 May 2017, while experts from Cisco Systems' Talos group found evidence of the backdoor as early as April 2017; either situation points to the cyberattack as a "thoroughly well-planned and well-executed operation".{{cite web | url = https://arstechnica.com/security/2017/07/heavily-armed-police-raid-company-that-seeded-last-weeks-notpetya-outbreak/ | title = Backdoor built in to widely used tax app seeded last week's NotPetya outbreak | first = Dan | last = Goodin | date = 5 July 2017 | access-date = 5 July 2017 | work = Ars Technica | archive-date = 8 July 2017 | archive-url = https://web.archive.org/web/20170708200235/https://arstechnica.com/security/2017/07/heavily-armed-police-raid-company-that-seeded-last-weeks-notpetya-outbreak/ | url-status = live }} Ukrainian officials have stated that Intellect Service will "face criminal responsibility", as they were previously warned about lax security on their servers by anti-virus firms prior to these events but did not take steps to prevent it.{{cite web | url = https://apnews.com/8b02768224de485eb4e7b33ae55b02f2 | title = Official: firm at center of cyberattack knew of problems | first = Raphael | last = Satter | date = 3 July 2017 | access-date = 7 July 2017 | work = Associated Press | archive-date = 5 July 2017 | archive-url = https://web.archive.org/web/20170705011813/https://apnews.com/8b02768224de485eb4e7b33ae55b02f2 | url-status = live }} Talos warned that due to the large size of the M.E.Doc update that contained the NotPetya malware (1.5 gigabytes), there may have been other backdoors that they have yet to find, and another attack could be possible.

On 30 June, the Security Service of Ukraine (SBU) reported that it had seized equipment allegedly used to launch the cyberattack, stating that it belonged to Russian agents responsible for the attack.{{Cite web | url = https://www.nytimes.com/reuters/2017/06/30/business/30reuters-cyber-attack-ukraine-sbu.html | title = Ukraine Says Seized Equipment Used by Russia to Launch Malware Attacks | work = The NY Times | agency = Reuters | date = 30 June 2017 | access-date = 30 June 2017 | archive-date = 30 June 2017 | archive-url = https://web.archive.org/web/20170630134707/https://www.nytimes.com/reuters/2017/06/30/business/30reuters-cyber-attack-ukraine-sbu.html | url-status = live }} On 1 July 2017, the SBU stated that available data indicated the perpetrators of the December 2016 attacks on Ukraine's financial system, transport and energy infrastructure, which used TeleBots and BlackEnergy,{{Cite web|url=https://attack.mitre.org/wiki/Software/S0089|title=Software: BlackEnergy, Black Energy – ATT&CK|website=attack.mitre.org|language=en|access-date=4 July 2017|archive-date=19 October 2017|archive-url=https://web.archive.org/web/20171019080412/https://attack.mitre.org/wiki/Software/S0089|url-status=live}} were the same groups responsible for the 27 June 2017 attack. "This testifies to the involvement of the special services of Russian Federation in this attack," it concluded.{{Cite web | url = http://mobile.reuters.com/article/idUSKBN19M39P | title = Ukraine points finger at Russian security services in recent cyber attack | publisher = Reuters | date = 1 July 2017 | access-date = 1 July 2017 | archive-date = 1 July 2017 | archive-url = https://web.archive.org/web/20170701215006/http://mobile.reuters.com/article/idUSKBN19M39P | url-status = live }}{{Cite web | url = https://www.rferl.org/a/cyberattack-ukraine-blames-russia/28589606.html | title = Ukraine Security Service Blames Russia For Recent Cyberattack | work = Radio Free Europe | date = 1 July 2017 | access-date = 1 July 2017 | archive-date = 1 July 2017 | archive-url = https://web.archive.org/web/20170701132332/https://www.rferl.org/a/cyberattack-ukraine-blames-russia/28589606.html | url-status = live }} A December 2016 cyberattack on a Ukrainian state energy system caused a power outage in northern Kyiv. Russia–Ukraine relations have remained strained since Russia's 2014 annexation of Crimea and the subsequent conflict in eastern Ukraine, which had resulted in more than 10,000 deaths by late June 2017. Russia has denied sending troops or military equipment to eastern Ukraine. Ukraine has described cyberattacks on its state institutions as part of "hybrid war" waged by Russia.

On 30 June 2017, cybersecurity firm ESET attributed the attack to the TeleBots group, which it stated had links to BlackEnergy. "Prior to the outbreak, the Telebots group targeted mainly the financial sector. The latest outbreak was directed against businesses in Ukraine, but they apparently underestimated the malware's spreading capabilities. That's why the malware went out of control." ESET had previously reported that BlackEnergy had been targeting Ukraine's cyber infrastructure since 2014.‘[https://www.scmagazine.com/russian-blackenergy-malware-strikes-at-ukrainian-media-and-energy-firms/article/527815/ "Russian" BlackEnergy malware strikes at Ukrainian media and energy firms] {{Webarchive|url=https://web.archive.org/web/20170315155110/https://www.scmagazine.com/russian-blackenergy-malware-strikes-at-ukrainian-media-and-energy-firms/article/527815/ |date=15 March 2017 }}’, SC Magazine (4 January 2016) In December 2016, ESET concluded that TeleBots had evolved from the BlackEnergy group and had used cyberattacks to sabotage Ukraine's financial sector during the second half of 2016.‘[https://www.scmagazine.com/blackenergy-back-telebots-launch-malicious-toolset-reminiscent-of-earlier-attacks/article/579319/ Telebots cybergang toolset reminiscent of BlackEnergy] {{Webarchive|url=https://web.archive.org/web/20171019083932/https://www.scmagazine.com/blackenergy-back-telebots-launch-malicious-toolset-reminiscent-of-earlier-attacks/article/579319/ |date=19 October 2017 }}’, SC Magazine (15 December 2016)

Around the time of the 4 July raid on M.E.Doc, the $10,000 in bitcoin already collected in the listed wallets for NotPetya had been withdrawn, and experts speculated it was used to buy space on the anonymous Tor network. One message posted there, allegedly from the NotPetya authors, demanded 100,000 bitcoin (about $2.6 million) to halt the attack and decrypt all affected files. On 5 July 2017, a second message, also allegedly from the NotPetya authors, was posted on a Tor website, demanding that those seeking to decrypt their files send 100 bitcoin (approximately $250,000). The message was signed with the same private key used by the original Petya ransomware, suggesting that the same group was responsible for both.{{cite web | url = https://www.theverge.com/2017/7/5/15922216/petya-notpetya-ransomware-authors-bitcoin-demand-decrypt | title = Petya ransomware authors demand $250,000 in first public statement since the attack | first = Russell | last = Brandom | date = 5 July 2017 | access-date = 5 July 2017 | work = The Verge | archive-date = 6 July 2017 | archive-url = https://web.archive.org/web/20170706001021/https://www.theverge.com/2017/7/5/15922216/petya-notpetya-ransomware-authors-bitcoin-demand-decrypt | url-status = live }}

According to reports cited in January 2018, the United States Central Intelligence Agency claimed that Russia was responsible for the cyberattack, alleging that Russia's Main Intelligence Directorate (GRU) had designed NotPetya.{{cite news | url = https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html | title = Russian military was behind 'NotPetya' cyberattack in Ukraine, CIA concludes | first = Ellen | last = Nakashima | date = January 12, 2018 | access-date = February 15, 2018 | newspaper = The Washington Post | archive-date = 13 January 2018 | archive-url = https://web.archive.org/web/20180113094658/https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html | url-status = live }} Similarly, in February 2018, the United Kingdom Ministry of Defence accused Russia of launching the cyberattack, stating that by targeting systems in Ukraine, the attack had spread and affected major systems in the United Kingdom and elsewhere. Russia denied involvement, noting that Russian systems were also impacted by the attack.{{cite web | url = https://www.theguardian.com/technology/2018/feb/15/uk-blames-russia-notpetya-cyber-attack-ukraine | title = UK blames Russia for NotPetya cyber-attack last year | first = Sarah | last = Marsh | date = February 15, 2018 | access-date = February 15, 2018 | work = The Guardian | archive-date = 15 February 2018 | archive-url = https://web.archive.org/web/20180215161557/https://www.theguardian.com/technology/2018/feb/15/uk-blames-russia-notpetya-cyber-attack-ukraine | url-status = live }}

Wired technology writer Andy Greenberg, in reviewing the history of the cyberattacks, stated that the attacks were attributed to a Russian military hacker group called "Sandworm". Greenberg claimed that Sandworm was responsible for the 2016 blackouts in Kyiv, among other incidents. The group had reportedly been targeting Ukraine's financial sector, and sometime in early 2017, allegedly gained access to M.E.Doc's update servers, which were then used to distribute the malware that facilitated the cyberattack in June 2017.{{cite magazine |url=https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ |title=The Untold Story of NotPetya, the Most Devastating Cyberattack in History |first=Andy |last=Greenberg |author-link=Andy Greenberg |date=23 August 2018 |access-date=23 August 2018 |magazine=Wired |archive-date=22 August 2018 |archive-url=https://web.archive.org/web/20180822200418/https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ |url-status=live }}

Companies affected include Antonov, Kyivstar, Vodafone Ukraine, lifecell, TV channels STB, ICTV and ATR, Kyiv Metro, UkrGasVydobuvannya (UGV), gas stations WOG, DTEK, EpiCentre K, Kyiv International Airport (Zhuliany), Prominvestbank, Ukrsotsbank, KredoBank, Oshchadbank and others, with over 1,500 legal entities and individuals having contacted the National Police of Ukraine to indicate that they had been victimized by 27 June 2017 cyberattack.‘[http://www.pravda.com.ua/news/2017/06/29/7148210 Virus Petya has hurt more than 1,5 thousand legal entities and individuals] {{Webarchive|url=https://web.archive.org/web/20170702100717/http://www.pravda.com.ua/news/2017/06/29/7148210/ |date=2 July 2017 }}’, Ukrayinska Pravda (29 June 2017) {{in lang|uk}}. Oshchadbank was again fully functional on 3 July 2017.‘[http://pda.pravda.com.ua/news/id_7148435 "Oschadbank" resume the work of all departments on July 3] {{Webarchive|url=https://web.archive.org/web/20171019075908/http://pda.pravda.com.ua/news/id_7148435 |date=19 October 2017 }}’, Ukrayinska Pravda (1 July 2017) {{in lang|uk}}. Ukraine's electricity company's computers also went offline due to the attack; but the company continued to fully operate without using computers.

While more than 80% of affected companies were from Ukraine,{{update inline|date=July 2017}} the ransomware also spread to several companies in other geolocations, due to those businesses having offices in Ukraine and networking around the globe. Non-Ukrainian companies reporting incidents related to the attack include food processor Mondelez International,{{cite news|last1=Voß|first1=Oliver|title=Milka-Fabrik steht seit einer Woche still|url=http://www.tagesspiegel.de/wirtschaft/wegen-erpressersoftware-petya-milka-fabrik-steht-seit-einer-woche-still/20013388.html|access-date=5 July 2017|work=Tagesspiegel|date=3 July 2017|language=de|archive-date=5 July 2017|archive-url=https://web.archive.org/web/20170705111247/http://www.tagesspiegel.de/wirtschaft/wegen-erpressersoftware-petya-milka-fabrik-steht-seit-einer-woche-still/20013388.html|url-status=live}} the APM Terminals subsidiary of international shipping company A.P. Moller-Maersk, the FedEx shipping subsidiary TNT Express (in August 2017 its deliveries were still disrupted due to the attack),[https://www.bbc.com/news/technology-40861982 Customers 'furious' with TNT after cyber-attack meltdown] {{Webarchive|url=https://web.archive.org/web/20180601063930/http://www.bbc.com/news/technology-40861982 |date=1 June 2018 }}, BBC News (9 August 2017) Chinese shipping company COFCO Group, French construction materials company Saint Gobain,{{cite web | url = https://www.reuters.com/article/us-cyber-attack-idUSKBN19I1TD | title = New computer virus spreads from Ukraine to disrupt world business | first1 = Eric | last1 = Auchard | first2 = Jack | last2 = Stubbs | first3 = Alessandra | last3 = Prentice | date = 29 June 2017 | access-date = 30 June 2017 | publisher = Reuters | archive-date = 28 June 2017 | archive-url = https://web.archive.org/web/20170628220240/http://www.reuters.com/article/us-cyber-attack-idUSKBN19I1TD | url-status = live }} advertising agency WPP plc,{{cite news|last1=Perlroth|first1=Nicole|last2=Scott|first2=Mark|last3=Frenkel|first3=Sheera|title=Cyberattack Hits Ukraine Then Spreads Internationally|url=https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html|access-date=6 July 2017|work=The New York Times|date=27 June 2017|archive-date=13 April 2018|archive-url=https://web.archive.org/web/20180413005050/https://mobile.nytimes.com/2017/06/27/technology/ransomware-hackers.html|url-status=live}} Heritage Valley Health System of Pittsburgh,{{cite news|last1=Henley|first1=Jon|last2=Solon|first2=Olivia|title='Petya' ransomware attack strikes companies across Europe and US|url=https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe|access-date=6 July 2017|work=The Guardian|date=27 June 2017|archive-date=1 May 2021|archive-url=https://web.archive.org/web/20210501230809/https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe|url-status=live}} law firm DLA Piper,{{cite news|last1=Petroff|first1=Alanna|last2=Larson|first2=Selena|title=Another big malware attack ripples across the world|url=https://money.cnn.com/2017/06/27/technology/hacking-petya-europe-ukraine-wpp-rosneft/index.html|access-date=6 July 2017|publisher=CNN|date=28 June 2017|archive-date=5 July 2017|archive-url=https://web.archive.org/web/20170705012152/http://money.cnn.com/2017/06/27/technology/hacking-petya-europe-ukraine-wpp-rosneft/index.html|url-status=live}} pharmaceutical company Merck & Co.,{{Cite web|url=https://nypost.com/2017/06/27/europe-cyberattack-also-breaches-merck-headquarters-in-us/|title=Europe cyberattack also breaches Merck headquarters in US|last=Massarella|first=Linda|date=27 June 2017|website=New York Post|access-date=5 July 2017|archive-date=5 July 2017|archive-url=https://web.archive.org/web/20170705153437/http://nypost.com/2017/06/27/europe-cyberattack-also-breaches-merck-headquarters-in-us/|url-status=live}} consumer goods maker Reckitt Benckiser, and software provider Nuance Communications.{{cite web | url = https://www.nytimes.com/2017/07/06/technology/search-for-clues-global-cyberattacks.html | title = Lasting Damage and a Search for Clues in Cyberattack | first = Nicole | last = Perlroth | date = 6 July 2017 | access-date = 7 July 2017 | work = The New York Times | archive-date = 7 July 2017 | archive-url = https://web.archive.org/web/20170707025531/https://www.nytimes.com/2017/07/06/technology/search-for-clues-global-cyberattacks.html | url-status = live }} A Ukrainian police officer believes that the ransomware attack was designed to go global so as to distract from the directed cyberattack on Ukraine.{{cite web | url = https://www.reuters.com/article/us-cyber-attack-ukraine-idUSKBN19K1WI | title = Global cyber attack likely cover for malware installation in Ukraine: police official | first1 = Pavel | last1 = Polityuk | first2 = Eric | last2 = Auchard | date = 29 June 2017 | access-date = 30 June 2017 | publisher = Reuters | place = Kiev, Frankfurt | archive-date = 29 June 2017 | archive-url = https://web.archive.org/web/20170629233140/https://www.reuters.com/article/us-cyber-attack-ukraine-idUSKBN19K1WI | url-status = live }}

The cost of the cyberattack had yet to be determined, as, after a week of its initial attack, companies were still working to mitigate the damage. Reckitt Benckiser lowered its sales estimates by 2% (about $130 million) for the second quarter primarily due to the attack that affected its global supply chain.{{cite news|last1=Geller|first1=Martinne|last2=Sandle|first2=Paul|title=Reckitt Benckiser trims sales forecasts after cyber attack|url=http://uk.reuters.com/article/us-reckitt-benc-grp-outlook-idUKKBN19R0GQ|access-date=6 July 2017|work=Reuters|date=6 July 2017|archive-date=6 July 2017|archive-url=https://web.archive.org/web/20170706120444/http://uk.reuters.com/article/us-reckitt-benc-grp-outlook-idUKKBN19R0GQ|url-status=dead}} Tom Bossert, the Homeland Security adviser to the President of the United States, stated that the total damage was over {{USD|10 billion}}. Among estimated damages to specific companies included over {{USD|870 million}} to Merck, {{USD|400 million}} to FedEx, {{USD|384 million}} to Saint-Gobain, and {{USD|300 million}} to Maersk.

Secretary of the National Security and Defence Council of Ukraine Oleksandr Turchynov claimed there were signs of Russian involvement in the 27 June cyberattack, although he did not give any direct evidence.[https://www.rferl.org/a/ukraine-petya-ransomware-cyberattack-ground-zero/28583931.html Ukraine Is 'Ground Zero' For Hackers In Global Cyberattacks] {{Webarchive|url=https://web.archive.org/web/20170701175829/https://www.rferl.org/a/ukraine-petya-ransomware-cyberattack-ground-zero/28583931.html |date=1 July 2017 }}, Radio Free Europe (28 June 2017 ) Russian officials have denied any involvement, calling Ukraine's claims "unfounded blanket accusations". NATO Secretary-General Jens Stoltenberg vowed on 28 June 2017 that NATO would continue its support for Ukraine to strengthen its cyber defence.[https://www.ukrinform.net/rubric-defense/2255739-stoltenberg-nato-to-increase-aid-to-ukraine-in-field-of-cyber-defense.html Stoltenberg: NATO to increase aid to Ukraine in field of cyber defense] {{Webarchive|url=https://web.archive.org/web/20171102152753/https://www.ukrinform.net/rubric-defense/2255739-stoltenberg-nato-to-increase-aid-to-ukraine-in-field-of-cyber-defense.html |date=2 November 2017 }}, Ukrinform (28 June 2017) The White House Press Secretary released a statement on 15 February 2018 attributing the attack to the Russian military, calling it "the most destructive and costly cyberattack in history."{{Cite web|url=https://trumpwhitehouse.archives.gov/briefings-statements/statement-press-secretary-25/|title=Statement from the Press Secretary|language=en-US|via=National Archives|work=whitehouse.gov|access-date=2019-10-11|archive-date=3 February 2021|archive-url=https://web.archive.org/web/20210203094101/https://trumpwhitehouse.archives.gov/briefings-statements/statement-press-secretary-25/|url-status=live}}

IT-businessman, chairman of the supervisory board of the Oktava Capital company Oleksandr Kardakov proposed to create civil cyber defense in Ukraine.{{Cite news|url=https://lb.ua/news/2017/07/20/371946_kardakov_predlozhil_sozdat.html|title=Кардаков запропонував створити громадянську кібероборону |last=|first=|work=lb.ua|date=2017-07-20|access-date=2024-03-28}}

• December 2015 Ukraine power grid cyberattack
• Russo-Ukrainian cyberwarfare
• Vulkan files leak

{{reflist|30em}}

• {{cite magazine

| url = https://www.wired.com/story/russian-hackers-attack-ukraine/

| title = How An Entire Nation Became Russia's Test Lab for Cyberwar

| first = Andy | last = Greenberg

| magazine = Wired

| date = 20 June 2017}}

{{Hacking in the 2010s|collapsed}}

{{Russian intervention in Ukraine}}

{{DEFAULTSORT:Cyberattacks on Ukraine}}

Category:2017 in computing

Category:2017 in Ukraine

Ukraine

Category:Hacking in the 2010s

Category:June 2017 crimes in Europe

Category:Russo-Ukrainian War

Category:Terrorist incidents in Ukraine

Category:Terrorist incidents in Europe in 2017

Category:Terrorist incidents in Ukraine in the 2010s

Category:2017 crimes in Ukraine

Category:2010s internet outages

Category:Cybercrime in India

Category:Russian–Ukrainian cyberwarfare

Category:2017 disasters in Ukraine