• Distribution Method : Remote infection and access by SMB vulnerability

• MD5 : 84c82835a5d21bbcf75a61706d8ab549

• Major Detection Name : Trojan.Ransom.WannaCryptor.A (BitDefender), Ransom:Win32/WannaCrypt (Microsoft)

• Encrypted File Pattern : .WNCRYT → .WNCRY

• Malicious File Creation Location :
       - C:\Users\%UserName%\AppData\Roaming\tor

     - \\msg
     - \\TaskData
     - \\TaskData\Data
     - \\TaskData\Tor\taskhsvc.exe
     - \\TaskData\Tor\tor.exe
     - \\@WanaDecryptor@.exe
     - \\@WanaDecryptor@.exe.lnk
     - \\taskdl.exe
     - \\taskse.exe

• Payment Instruction File : @Please_Read_Me@.txt

• Major Characteristics :
       - Offline Encryption
       - Creates Payment Instruction File in 28 languages
       - Changes Desktop Background(C:\Users\%UserName%\Desktop\@WanaDecryptor@.bmp)