Haber explained the modified ransomware payload contains new traits:

• It spreads through malicious office attachments and email. “This gets through the front door and onto any target system that can be exploited via social engineering.”
• Once installed, the malware looks for other systems to exploit using EternalBlue.
• Petya malware also scraped memory and the file system for passwords and execute “psexec” against remote targets to propagate the infection. This compromises hosts, even if patched for EternalBlue, and leverage administrator credentials it discovers during its interrogation of the system.
• Encryption is at a low level using the master file tree tables for the new technology file system and overwrites the master boot record with a ransomware warning.

“It's important to note that this is not Petya. It is a variant modeled after it that has stolen the methods Petya used,” Yonathan Klijnsma, threat researcher for San Francisco-based RiskIQ. Klijnsma noted the payment component of the attack doesn't seem like it functions or scale well, meaning the actors involved may seek to create mayhem and destruction rather than money.

Klijnsma noticed another interesting attack aspect. “The intended victims are rather different from Petya or 'normal' ransomware. The targets are enterprises, not individual private users.”

In addition, it seems most likely that the initial distribution method of this ransomware was the auto-update functionality of Ukrainian company MeDoc. “It seems the update server was, in some way, compromised to push a malicious update: the ransomware…instead of a software update.” Klijnsma said. Petya uses not only server message block exploits, but also tries credential reuse from the infected machine into others on the network. “This means that if the domain administrator starts the ransomware, his or her entire domain may be affected, and the ransomware will have full rights everywhere depending on how the domain restrictions are set up.”

Kirk Soluk, manager of ASERT's Threat Intelligence and Response Team at Burlington, Mass.-based Arbor Networks, said. “Amidst this deluge of information (and misinformation), we wanted to make sure that the association of Petya with WannaCry did not obscure some important differences. The EternalBlue-based propagation mechanism, mitigated by patching MS17-010, is not the only method employed by Petya to spread. Another propagation method employed by Petya is not thwarted by simply patching.”

Soluk clarified this point by explaining once Petya compromises a machine, it begins hijacking local credentials from the Windows Local Security Authority. It then leverages those credentials to remotely attempt to compromise other systems on the local network.

Petya aftershocks could lead to even more repercussions. Following WannaCry RiskIQ's mobile database found hundreds of apps claiming to help defend mobile phones, even though mobile systems are safe from its impact. Instead they preyed on unsuspecting users by pushing adware, trojans, and other malware.