Sophos shares simularities and differences between WannaCry (May 2017 world-wide attack) & this new one, that is being gradually contained

The researchers found no internet-spreading mechanism, though like WannaCry, it uses the EternalBlue/DoublePulsar exploits that target vulnerable SMB installations to spread. But that spread is through internal networks only. Here’s the SMB exploit shellcode for Petya vs the one for WannaCry

In cases where the SMB exploit fails, Petya tries to spread using PsExec under local user accounts. (PsExec is a command-line tool that allows users to run processes on remote systems.) It also runs a modified mimikatz LSAdump tool that finds all available user credentials in memory.

It attempts to run the Windows Management Instrumentation Command-line (WMIC) to deploy and execute the payload on each known host with relevant credentials. (WMIC is a scripting interface that simplifies the use of Windows Management Instrumentation (WMI) and systems managed through it.). By using the WMIC/PsExec/LSAdump hacking techniques, attackers can infect fully patched PCs found on local networks, including Windows 10

Once the infection drops, the encryption stage begins. The ransomware scrambles your data files and overwrites the boot sector of your hard disk so that the next time you reboot, the master index of your C: drive will be scrambled too. The ransomware automatically forces a reboot after about an hour, thus activating the secondary scrambling process.

The victim knows there’s a problem because the ransom note takes over their screen.

Is there a kill switch? – The answer is yes, but only a local one, as outlined here