The Petya ransomware now bundles a second file-encrypting program for cases where it cannot replace a computer's master boot record to encrypt its file table.
Before encrypting the MFT, Petya replaces the computer's master boot record (MBR), which contains code that initiates the operating system's bootloader. Petya replaces it with its own malicious code that displays the ransom note and leaves computers unable to boot.
However, in order to overwrite the MBR after it infects a computer, the malware needs to obtain administrator privileges. It does so by asking users for access via the User Account Control (UAC) mechanism in Windows.
In previous versions, if Petya failed to obtain administrator privileges, it stopped the infection routine. However, in such a case, the latest variant installs another ransomware program, dubbed Mischa, that begins to encrypt users' files directly, an operation that doesn't require special privileges.