A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?

In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly USD 10 billion in damage.

NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit that harvested user passwords from Windows machines.

The malware was designed to infect without user action, move laterally inside networks and spread very fast, sometimes taking down networks in less than a minute. Once executed, it would overwrite the master boot record, preventing it from booting.

A ransom note demanded payment for decryption. But there was no mechanism or plan for doing so. Its purpose was to convince victims they were hit by ransomware. In fact, NotPetya existed only to destroy data without a path to recovery.