Three cyber-security firms have come forward with reports or statements that link the NotPetya ransomware outbreak to a cyber-espionage group known for past cyber-attacks. The group behind all these attacks has been active since 2007 and is tracked under different names, such as Sandworm, BlackEnergy, and most recently as TeleBots. In 2014, the group started focusing most of its operations against Ukraine, shortly after Russia occupied the Crimean Peninsula. In December 2016, researchers reported seeing new versions of the KillDisk malware that came with a ransomware component, allowing it to “pass”” as a ransomware infection.”
Source: https://www.bleepingcomputer.com/news/security/security-firms-find-thin-lines-connecting-notpetya-to-ukraine-power-grid-attacks/