The new variant propagates via the EternalBlue exploit, which is generally believed to have been developed by the U.S. National Security Agency (NSA), and was used earlier in the year by the WannaCry ransomware.

[7] On 30 August 2018, a regional court in Nikopol in the Dnipropetrovsk Oblast of Ukraine convicted an unnamed Ukrainian citizen to one year in prison after pleading guilty to having spread a version of Petya online.

[14][15] Oleksandr Kardakov, the founder of the Oktava Cyber Protection company, emphasizes that the Petya virus stopped a third of Ukraine's economy for three days, resulting in losses of more than 400 million dollars.

[11][17] It was believed that the software update mechanism of M.E.Doc [uk]—a Ukrainian tax preparation program that, according to F-Secure analyst Mikko Hyppönen, "appears to be de facto" among companies doing business in the country—had been compromised to spread the malware.

[18][21][22][23] On 4 July 2017, Ukraine's cybercrime unit seized the company's servers after detecting "new activity" that it believed would result in "uncontrolled proliferation" of malware.

[20][23][25] IT-businessman, chairman of the supervisory board of the Oktava Capital company Oleksandr Kardakov proposed to create civil cyber defense in Ukraine.

[6][27][28] Meanwhile, the computer's screen displays a purportedly output by chkdsk, Windows' file system scanner, suggesting that the hard drive's sectors are being repaired.

[6] United States Computer Emergency Response Team (US-CERT) and National Cybersecurity and Communications Integration Center (NCCIC) released Malware Initial Findings Report (MIFR) about Petya on 30 June 2017.

[29] The "NotPetya" variant used in the 2017 attack uses EternalBlue, an exploit that takes advantage of a vulnerability in Windows' Server Message Block (SMB) protocol.

[35] This characteristic, along with other unusual signs in comparison to WannaCry (including the relatively low unlock fee of US$300, and using a single, fixed Bitcoin wallet to collect ransom payments rather than generating a unique ID for each specific infection for tracking purposes),[36] prompted researchers to speculate that this attack was not intended to be a profit-generating venture, but to damage devices quickly, and ride off the media attention WannaCry received by claiming to be ransomware.

[37][38] It was found that it may be possible to stop the encryption process if an infected computer is immediately shut down when the fictitious chkdsk screen appears,[39] and a security analyst proposed that creating read-only files named perfc and/or perfc.dat in the Windows installation directory could prevent the payload of the current strain from executing.

[36][44] Additionally, if the computer's filesystem was FAT based, the MFT encryption sequence was skipped, and only the ransomware's message was displayed, allowing data to be recovered trivially.

[46][47] Wired believed that "based on the extent of damage Petya has caused so far, though, it appears that many companies have put off patching, despite the clear and potentially devastating threat of a similar ransomware spread.

This assessment was repeated by former Homeland Security advisor Tom Bossert, who at the time of the attack was the most senior cybersecurity focused official in the US government.