I don't know if it the damage was greater than NotPetya but you definitely can have something more destructive without it being immediately apparent. If you lose credit card numbers and PII from your customers you HAVE to report it to the public but there are different rules for the loss of incredibly valuable intellectual property.

First, to correct a common misconception, NotPetya definitely wasn't ransomware run amok - it was designed to look like the previously popular Petya ransomware, but the actual ransom and decryption key processing mechanism was removed as that wasn't its purpose. It was masquerading as ransomware, but it wasn't ransomware, it just destroys data by encrypting it with a non-recoverable key.

Just as Solarwinds, NotPetya also was a targeted supply chain attack - it was deployed through updates from a previously hacked accounting/tax software company "Intellect Service" to all their customers in Ukraine, which also included many multinational companies which had their finance depts file tax reports in Ukraine; and just as Solarwinds, NotPetya is attributed to Russian government.

The main difference is that, as you say, it seems that Solarwinds was (at least at the stage it was detected) used only for espionage, while NotPetya was designed for pure destruction.

NP, as Maersk and co experienced was definitely rware (a variant, sure) run amok however. It’s industry consensus that the attacker either a) didn’t think of the possible Global blast radius or b) thought of the blast radius but didn’t plan for how bad it would get.

In a sense, SW might reflect a more mature approach: consider the network spread, use a different exploit and intent - spyware for espionage vs rware variant for destruction.

That said, very different exploits and intents were used.