NotPetya: the lesson that a cyberattack can become pure operational loss

On 27 June 2017 companies around the world began reporting mass infections. The malware, initially mistaken for a new version of the Petya ransomware, turned out to be something fundamentally different. It would later be called NotPetya.

On the surface NotPetya looked like ransomware: a ransom screen, encrypted disks. But that was camouflage. The code was not designed to restore data after payment. Its purpose was data destruction and system lockout. Permanent and irreversible.

Among those affected were some of the world's largest multinational companies: Maersk, Merck, FedEx, Reckitt Benckiser, Mondelez. Estimated damage for Maersk alone was around 300 million dollars. Total losses from the attack are measured in billions.

Why this is not an ordinary security incident

The traditional perception of a cyberattack: someone stole data, an investigation is needed, regulators must be notified, defences strengthened. Unpleasant, costly, but manageable.

NotPetya showed a different scenario. Companies did not lose data in the sense of a leak. They lost their operational capacity to function.

Maersk operated roughly 76 port terminals around the world. When systems failed, port operations stopped. Not because data was stolen - but because the systems managing container movements simply stopped working. The company spent several weeks reinstalling software on thousands of machines.

This is not theft or leakage. This is business stoppage.

How the malware spread

NotPetya used several infection vectors simultaneously. In particular, it spread through Ukrainian accounting software called MeDoc - many companies working with Ukraine received the infection through an automatic update of a trusted application.

Once inside a network, the malware used the same tools as WannaCry - the EternalBlue exploit to spread across the local network. Where the patch was not applied and network segmentation was absent, propagation was rapid.

This is an important lesson: the infection did not arrive through a phishing email to a suspicious address. It arrived through an update to software that was trusted.

What this means for risk management

Cyber incidents have stopped being only an IT risk. They have become a first-order operational risk.

For boards and owners this means several things.

Backup is not just an IT task. This was discussed after WannaCry. NotPetya confirmed it: it is critical that backups exist in isolated form - inaccessible to malware that has taken over the main network. Backups connected to the same infected network will not help.

Network segmentation determines the scale of the catastrophe. Companies with strict segmentation suffered far less than those where everything was on one flat network. This is an organisational decision, not a technical one - made at the architecture level and sustained by policy.

Your supply chain is your attack surface. Infection through a third-party software update is not an exotic vector. It is a real threat to any company using third-party systems with automatic updates. The question "who do we trust to update automatically, and what happens if that software turns out to be compromised?" is a strategic question.

Readiness check

Three questions I recommend asking:

1. If all our main systems became unavailable simultaneously for a week - what would happen to operations? Is there a plan?

2. Are our backups isolated from the main network? Can we restore if the main network is infected?

3. What third-party software in our network updates automatically? Do we know, and do we have a process for controlling those updates?

NotPetya was an attack with a specific political context. But the tools and methods it used are available without that context. The conclusion to draw is not about geopolitics - it is about the fact that operational dependence on IT infrastructure without a recovery plan is an accepted risk that often goes unrecognised until it materialises.